I'm working on coming up with a solution for CWE-201 that is flagged from Veracode.
Background:
CWE-201: Information Exposure Through Sent Data
Information Exposure Through Sent Data Weakness ID: 201 (Weakness Variant) Status: Draft + Description Description Summary The accidental exposure of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels.
Phase: Architecture and Design Strategy: Separation of Privilege Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.
Besides...what the heck does that mean for people who code, I'm trying to find some practical solutions using java to resolve this problem.
What I can tell is that the following code will cause veracode to flag the cwe-201:
public void init(URL filePath) {
try {
load(new BufferedInputStream(filePath.openStream()));
} catch (java.io.IOException e) {
Log.error("Could not load server properties file!", e);
}
}
More information:
Phase: Implementation Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.
Phase: System Configuration Setup default error messages so that unexpected errors do not disclose sensitive information.
I have done the recommendation stated in the System Configuration by creating a custom runtime exception which swallows the the IOException here...but Veracode still flagged it.
Here's that that code looks like:
public class CWE201Exception extends RuntimeException {
private static Logger log = ESAPI.getLogger(CWE201Exception .class.getName());
public CWE201Exception(String identifer, Throwable t){
log.error(Logger.SECURITY_AUDIT, identifer);
}
}
And updated the method to look like this:
public void init(URL filePath) {
try {
load(new BufferedInputStream(filePath.openStream()));
} catch (java.io.IOException e) {
throw new CWE201Exception("omgStillDoingThis", e);
}
}
Looking through the veracode report, I came across the following:
Attack Vector: java.net.URL.openStream
Description: The application calls the java.net.URL.openStream() function, which will result in data being transferred out of the application (via the network or another medium). This data contains sensitive information. openStream() was called on the filePath object, which contains potentially sensitive data. The potentially sensitive data originated from an earlier call to java.lang.system.getproperty.
Remediation: Ensure that the transfer of the sensitive data is intended and that it does not violate application security policy. This flaw is categorized as low severity because it only impacts confidentiality, not integrity or availability. However, in the context of a mobile application, the significance of an information leak may be much greater, especially if misaligned with user expectations or data privacy policies.
QUESTION It turns out that when you read a property file that resides on your server in this way, you are using System.getProperties() indirectly.
Exposing this as a stream is viewed as the security threat
With that said, what is the correct way to load a property file so that your application can load environment configuration informationin what a manner that veracode considers a "safe"?