java.util.Properties.load() issues OWASP Top 10 2017
I have this code in java, for the use of the properties file, but when executing the secure code scan with MicroFocus FortiFy OWASP Top 10 2017, it generates issues of type "A1 Injection" and "A5 Broken Access Control" in the line that implements the method java.util.Properties.load(). I couldn't find the solution for this problem. The property file is outside the build WAR in a different directory.
My Code:
public void initPop() {
logger.info("Cargar archivo de propiedades en memoria");
String configProp = "config.properties";
try {
Properties prop = new Properties();
InputStream inputSt = new FileInputStream("/home/ejm/properties/" + configProp);
prop.load(inputSt);
Map<String, String> help = new HashMap<String, String>();
for (Enumeration<?> names = prop.keys(); names.hasMoreElements();) {
String key = (String) names.nextElement();
help.put(key, prop.getProperty(key));
}
setLstProp(help);
inputSt.close();
prop.clear();
} catch (Exception ex) {
logger.error("[getValue] Archivo " + configProp + " no encontrado : " + ex.toString());
}
}
MicroFocus FortiFy OWASP Top 10 2017 Report:
This case shows a source-code which is correct and does what it should.
The check shows that your code may or may not be used to manipulate data or access portions or your software/company which would be otherwise restricted and prohibited.
Lets get into detail. A1 injection. That simply says that you load readable data from an extern file which could be manipulated. e.g. if you keep access-data in a property-file which can be read or changed. The property files have no security measure (like CRC or encoding).
A5 access. It warns you that you - if you load and use the data right away - may infect your system with a manipulated access or redirection to prohibited systems (e.g. you save a link to a hidden port which is normally only accessable via some kind of login-control).
The key to be on the safe side is "sanitizing your input-data". Control each and every pair for (a) value and range (b) accessibility of data and links (e.g. compare it with entries in databases if this user is allowed to do that) (c) store only values which are really necessary for this workstation (e.g. size of monitor, shortcuts, options, ..). If you do all that you can see it as what it is - a fair warning.
- Keep numbers which appear in both columns, in J lang
- Differentiation in J
- How to reshape an array with an arbitrary size in one dimension?
- Why is Insert (fold) right associative
- Write 4 : 'x&{.&.;: y' tacitly
- Alignment issue when printing formatted prime numbers in J language
- How can I define a verb in J that applies a different verb alternately to each atom in a list?
- How to get user input in the J programming language
- How to unbox a list of boxed lists of differing lengths in J?
- How can I fix 'noun result was required' error in J?
- In j, how can I define a verb locally in one scope and pass it to a defined adverb?
- Convert boxed array to normal array?
- Read column of CSV file as array
- Replace atom in array of strings
- What does the dyad `=` do to boxed strings?
- Index of minimum element using J
- How can I take the outer product of string vectors in J?
- Building an array of verbs in J
- Reading in multidigit command line parameter
- Amend with bond to new data shows unexpected behaviour
- How to turn a table or matrix into a (flat) list in J
- How to run dissect in J?
- How to define selection using index function in J
- How to exit the J console?
- Find 4-neighbors using J
- Writing custom verbs in J
- How do I negate a selector in J lang?
- How to use arbitrary selector in interchange in J lang?
- different result once square root is added inside tacit
- Sum of arrays with repeated indices