Sin 14: Improper File Access

Overview of the Sin

Improper file access is a relatively difficult sin to spot in code review, and can easily slip beneath the radar. There are three common security issues. The first is a race condition: after making security checks on a file, there is often a window of vulnerability between the time of check and the time of use (TOCTOU). Race conditions typically are associated with synchronization errors that provide a window of opportunity during which one process can interfere with another, possibly introducing a security vulnerability.

Sometimes an attacker can manipulate path names to overwrite important files or change the security posture between the security check and the action to be performed based on the security posture . Also, many security issues may be introduced when files live remotely, such as on a Server Message Block (SMB) or Network File System (NFS) mount. This problem is most frequent in the handling of temporary files, because temporary file directories are usually a free-for-allattackers might be able to use a race condition to trick you into opening a file they have control over, even if you check to make sure the file isnt there. If you dont perform checks, and simply rely on choosing a unique filename, you might be unexpectedly surprised when attackers control a file with the same name . This was a big problem with some temporary file APIs on Unix systems, where the API would pick predictable names that an attacker could guess.

The second common security issue is the classic it isnt really a file problem, where your code opens a file thinking the code is opening a simple file on the disk, but it is, in fact, a link to another file or a device name or a pipe.

The third common security issue is giving attackers some control over the filename that they shouldnt have, allowing them to read and potentially write sensitive information.