java - Security: CWE-201: What is the correct way to securely read a properties file using openStream? -

-

i'm working on coming solution cwe-201 flagged veracode.

background:

cwe-201: information exposure through sent data

information exposure through sent data weakness id: 201 (weakness variant) status: draft + description description summary accidental exposure of sensitive information through sent data refers transmission of data either sensitive in , of or useful in further exploitation of system through standard data channels.

phase: architecture , design strategy: separation of privilege compartmentalize system have "safe" areas trust boundaries can unambiguously drawn. not allow sensitive data go outside of trust boundary , careful when interfacing compartment outside of safe area. ensure appropriate compartmentalization built system design , compartmentalization serves allow , further reinforce privilege separation functionality. architects , designers should rely on principle of least privilege decide when appropriate use , drop system privileges.

besides...what heck mean people code, i'm trying find practical solutions using java resolve problem.

what can tell following code cause veracode flag cwe-201:

public void init(url filepath) {     try {         load(new bufferedinputstream(filepath.openstream()));     } catch (java.io.ioexception e) {                    log.error("could not load server properties file!", e);                          }  }

more information:

phase: implementation ensure possibly sensitive data specified in requirements verified designers ensure either calculated risk or mitigated elsewhere. information not necessary functionality should removed in order lower both overhead , possibility of security sensitive data being sent.

phase: system configuration setup default error messages unexpected errors not disclose sensitive information.

i have done recommendation stated in system configuration creating custom runtime exception swallows the ioexception here...but veracode still flagged it.

here's that code looks like:

public class cwe201exception extends runtimeexception {  private static logger log = esapi.getlogger(cwe201exception .class.getname());  public cwe201exception(string identifer, throwable t){       log.error(logger.security_audit, identifer); }

}

and updated method this:

public void init(url filepath) {     try {         load(new bufferedinputstream(filepath.openstream()));     } catch (java.io.ioexception e) {                    throw new cwe201exception("omgstilldoingthis", e);                           }  }

looking through veracode report, came across following:

attack vector: java.net.url.openstream

description: application calls java.net.url.openstream() function, result in data being transferred out of application (via network or medium). data contains sensitive information. openstream() called on filepath object, contains potentially sensitive data. potentially sensitive data originated earlier call java.lang.system.getproperty.

remediation: ensure transfer of sensitive data intended , not violate application security policy. flaw categorized low severity because impacts confidentiality, not integrity or availability. however, in context of mobile application, significance of information leak may greater, if misaligned user expectations or data privacy policies.

question turns out when read property file resides on server in way, using system.getproperties() indirectly.

exposing stream viewed security threat

with said, correct way load property file application can load environment configuration informationin manner veracode considers "safe"?


Comments

Post a Comment

Popular posts from this blog

javascript - oscilloscope of speaker input stops rendering after a few seconds -

-
the following script reads audio user's microphone , renders oscilloscope on html canvas. the source taken example of mozilla developer network: visualizations web audio api and here fiddle: http://jsfiddle.net/b7j8pktp/ mozgetusermedia (note: code has no fork mechanism different browsers: works firefox) it works fine few seconds , stops rendering. whereas works totally stable: http://mdn.github.io/voice-change-o-matic/ the problem can reduced following code. microphone activation icon (next the address bar in firefox) disappears after 5 seconds: navigator.mozgetusermedia({audio: true}, function() {}, function() {} ); ( http://jsfiddle.net/b7j8pktp/2/ ) this known bug in firefox. take stream getusermedia call , hook window so: navigator.mozgetusermedia({audio: true}, function(stream) { window.stream = stream; // rest of code }, function err() { // handle error }); hopefully can fixed soon. problem we're f
Read more

javascript - gulp-nodemon - nodejs restart after file change - Error: listen EADDRINUSE events.js:85 -

-
i'm running nodejs 0.12.3 - gulp 3.10.8 , gulp-nodemon 2.0.3. gulpfile.js : gulp.task('serve', ['build'], function() { gulp.start('fb-flo'); nodemon({ script: paths.server, env: { 'node_env': 'development' }, // env: { 'node_env': 'production' }, execmap: { 'js': 'node_modules/babel/bin/babel-node --stage 1' //es7 cote server }, delay: '0ms', watch: ['src/shared/', 'src/server/'], ignore: ['src/shared/components'], tasks: function (changedfiles) { var tasks = []; changedfiles.foreach(function (file) { if (path.extname(file) === '.jsx' && !~tasks.indexof('bundlejs')) tasks.push('bundlejs'); if (path.extname(file) === '.less' && !~tasks.indexof('compileless')) tasks.push('compileless'); }); return tasks; }
Read more

Fatal Python error: Py_Initialize: unable to load the file system codec. ImportError: No module named 'encodings' -

-
i trying make simple python program opening list of webpages user manually download reports site. don't have previous experience preparing exe files.. , i'm in learning process python coding. of done on windows 7 x64 this python code: #!c:/python34/python.exe -u splinter import * import time import os import csv #---------------------------------- raporty = [] open('../raporty.csv', newline='') csvfile: contents = csv.reader(csvfile, delimiter=' ', quotechar='|') row in contents: r = ', '.join(row) r = r.replace(',','') raporty.append(r) #--not implemented yet zmienne = [] open('../zmienne.csv', newline='') csvfile: contents = csv.reader(csvfile, delimiter=' ', quotechar='|') row in contents: r = ', '.join(row) r = r.replace(',','') zmienne.append(r) print("start") browser = browser(
Read more