All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.codemodder.codemods.SemgrepOverlyPermissiveFilePermissionsCodemod.description.md Maven / Gradle / Ivy

There is a newer version: 0.97.3
Show newest version
This change removes excessive privilege from a file that appears to be overly permissive. Files can be granted privileges to the file's owner, the file owner's group, or "others" -- meaning anyone else. It is hard to imagine the need for a file to be readable, writable or executable by anyone other than the file's owner or the file owner's group in modern software development. 

If a file is readable by "others", it could be read by a malicious system user to retrieve sensitive information or useful implementation details. If the file is writable by "others", the application could be tricked into performing actions on data provide by malicious users. Allowing execution of a file by "others" could allow malicious users to run arbitrary code on the server. 

Our changes look something like this:

```diff
  Set startupPermissions = new HashSet();
- startupPermissions.add(PosixFilePermission.OTHERS_WRITE);
+ startupPermissions.add(PosixFilePermission.GROUP_WRITE);
  Files.setPosixFilePermissions(startupScript, startupPermissions);
  
- Set shutdownPermissions = PosixFilePermissions.fromString("rwxrwxrwx");
+ Set shutdownPermissions = PosixFilePermissions.fromString("rwxrwx---");
  Files.setPosixFilePermissions(shutdownScript, shutdownPermissions);
```

Note: It's worth considering whether you could use a more restrictive permission than `GROUP_WRITE` here. For example, if the file is owned by the same user that's running the application, you could use `OWNER_WRITE` instead.




© 2015 - 2024 Weber Informatics LLC | Privacy Policy