java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission

Community Favorite
profile photo of semgrepsemgrep
Author
50,751
Download Count*
LGPL Commons Clause
License

Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: overly-permissive-file-permission
    message: Detected file permissions that are overly permissive (read, write, and
      execute). It is generally a bad practices to set overly permissive file
      permission such as read+write+exec for all users. If the file affected is
      a configuration, a binary, a script or sensitive data, it can lead to
      privilege escalation or information leakage. Instead, follow the principle
      of least privilege and give users only the  permissions they need.
    severity: WARNING
    languages:
      - java
    metadata:
      cwe:
        - "CWE-276: Incorrect Default Permissions"
      owasp:
        - A01:2021 - Broken Access Control
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    pattern-either:
      - pattern: java.nio.file.Files.setPosixFilePermissions($FILE,
          java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/"));
      - pattern: >
          $TYPE $P =
          java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/");

          ...

          java.nio.file.Files.setPosixFilePermissions($FILE, $P);
      - pattern: |
          $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ);
          ...
          java.nio.file.Files.setPosixFilePermissions($FILE, $P);
      - pattern: |
          $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE);
          ...
          java.nio.file.Files.setPosixFilePermissions($FILE, $P);
      - pattern: |-
          $P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE);
          ...
          java.nio.file.Files.setPosixFilePermissions($FILE, $P);

Examples

overly-permissive-file-permission.java

package testcode.file.permissions;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.HashSet;
import java.util.Set;

public class FileApi {

    public static void notOk() throws IOException {
        // ruleid:overly-permissive-file-permission
        Files.setPosixFilePermissions(Paths.get("/var/opt/app/init_script.sh"), PosixFilePermissions.fromString("rw-rw-rw-"));
        // ruleid:overly-permissive-file-permission
        Files.setPosixFilePermissions(Paths.get("/var/opt/configuration.xml"), PosixFilePermissions.fromString("rw-rw-r--"));
    }

    public static void notOk2() throws IOException {
        Set<PosixFilePermission> perms = new HashSet<>();
        perms.add(PosixFilePermission.OWNER_READ);
        perms.add(PosixFilePermission.OWNER_WRITE);
        perms.add(PosixFilePermission.OWNER_EXECUTE);

        perms.add(PosixFilePermission.GROUP_READ);
        perms.add(PosixFilePermission.GROUP_WRITE);
        perms.add(PosixFilePermission.GROUP_EXECUTE);

        // ruleid:overly-permissive-file-permission
        perms.add(PosixFilePermission.OTHERS_READ);
        // ruleid:overly-permissive-file-permission
        perms.add(PosixFilePermission.OTHERS_WRITE);
        // ruleid:overly-permissive-file-permission
        perms.add(PosixFilePermission.OTHERS_EXECUTE);

        Files.setPosixFilePermissions(Paths.get("/var/opt/app/init_script.sh"),perms);
    }

    public static void ok() throws IOException {
        Files.setPosixFilePermissions(Paths.get("/var/opt/configuration.xml"), PosixFilePermissions.fromString("rw-rw----"));
        Files.setPosixFilePermissions(Paths.get("/var/opt/configuration.xml"), PosixFilePermissions.fromString("rwxrwx---"));
    }
}