Java

Java

Made by DeepSource

Audit: File can be modified or read by any user JAVA-A1038

Security
Critical
a05 cwe-732 cwe-269 owasp top 10

File.setWritable() is invoked in a way that allows all users to write to a file. This may expose a security vulnerability in the application through that file.

Avoid such permissive settings, as there is always a possibility of a malicious actor abusing them.

Bad Practice

To allow any user to modify a file, one must invoke File.setWritable(boolean, boolean). This method's second argument controls whether write privileges are restricted to only the user who created the file (the user executing the program in many cases).

If set to false, any user will be able to write to the respective file.

file.setWritable(true, false);

Recommended

If multi-user access is not needed, consider using the single argument overload of File.setWritable() instead to restrict access to the file.

file.setWritable(true);

This can help reduce the attack surface by removing shared resources that can be manipulated.

References

  • Java SE 7 JavaDocs - java.util.File
  • CWE-269 - Improper Privilege Management
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
  • OWASP Top Ten (2021) - Category A05 - Security Misconfiguration