• Home
• org.sonarsource.javascript
• javascript-checks
• 10.15.0.27423
• source code
• S2612.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S2612.html Maven / Gradle / Ivy

In Unix file system permissions, the "others" category refers to all users except the owner of the file system resource and the
members of the group assigned to this resource.
Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
information, disrupt services or elevate privileges.
Ask Yourself Whether

  
 The application is designed to be run on a multi-user environment. 
  
 Corresponding files and directories may contain confidential information. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
The most restrictive possible permissions should be assigned to files and directories.
Sensitive Code Example
Node.js fs
const fs = require('fs');

fs.chmodSync("/tmp/fs", 0o777); // Sensitive

const fs = require('fs');
const fsPromises = fs.promises;

fsPromises.chmod("/tmp/fsPromises", 0o777); // Sensitive

const fs = require('fs');
const fsPromises = fs.promises

async function fileHandler() {
  let filehandle;
  try {
    filehandle = fsPromises.open('/tmp/fsPromises', 'r');
    filehandle.chmod(0o777); // Sensitive
  } finally {
    if (filehandle !== undefined)
      filehandle.close();
  }
}

Node.js process.umask
const process = require('process');

process.umask(0o000); // Sensitive

Compliant Solution
Node.js fs
const fs = require('fs');

fs.chmodSync("/tmp/fs", 0o770); // Compliant

const fs = require('fs');
const fsPromises = fs.promises;

fsPromises.chmod("/tmp/fsPromises", 0o770); // Compliant

const fs = require('fs');
const fsPromises = fs.promises

async function fileHandler() {
  let filehandle;
  try {
    filehandle = fsPromises.open('/tmp/fsPromises', 'r');
    filehandle.chmod(0o770); // Compliant
  } finally {
    if (filehandle !== undefined)
      filehandle.close();
  }
}

Node.js process.umask
const process = require('process');

process.umask(0o007); // Compliant

See

  
 OWASP - Top 10 2021 Category A1 - Broken Access Control 
  
 OWASP - Top 10 2021 Category A4 - Insecure Design 
  
 OWASP - Top 10 2017 Category A5 - Broken Access Control
  
  
 OWASP File Permission 
  
 CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource 
  
 CWE - CWE-266 - Incorrect Privilege Assignment 
  
 STIG Viewer - Application Security and
  Development: V-222430 - The application must execute without excessive account permissions.