Java

JAVA.MISC.SD.FILE : Sensitive Data Written to Local File (Java)

要旨

Potentially sensitive data is stored in a file.

The following are considered sensitive system data.

プロパティ

クラス名 Sensitive Data Written to Local File (Java)
日本語クラス名 Sensitive Data Written to Local File (Java)
クラス分類 セキュリティ (security)
ニーモニック JAVA.MISC.SD.FILE
カテゴリー
CWE CWE:538 Insertion of Sensitive Information into Externally-Accessible File or Directory
CERT-Java CERT-Java:DRD22 Do not cache sensitive information
OWASP-2017 OWASP-2017:A3 Sensitive data exposure
OWASP-2021 OWASP-2021:A2 Cryptographic failures
対応言語 Java で利用可能です。
有効/無効設定 このワーニングクラスのチェックはデフォルトで無効になっています。チェックを有効にするにはプロジェクト設定ファイル (configuration file)に以下の WARNING_FILTER ルールを追加してください。 
WARNING_FILTER += allow class="Sensitive Data Written to Local File (Java)"


package com.juliasoft.julia.tests.checks.sensitiveDataCaching;

import java.io.BufferedOutputStream;
import java.io.BufferedWriter;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.RandomAccessFile;
import java.nio.ByteBuffer;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;

import android.app.Activity;
import android.os.Environment;
import android.telephony.TelephonyManager;

public class ExternalStorageLeak extends Activity {

  public void MyMethod()
  {

    try {
      TelephonyManager telephonyManager = (TelephonyManager) getSystemService(this.TELEPHONY_SERVICE); 
      String imei=telephonyManager.getDeviceId();
    
      usingBufferedWritter1(imei);
      usingBufferedWritter2(imei);
      usingFileWriter(imei);
      usingPrintWriter(imei);
      usingFileOutputStream(imei);
      usingDataOutputStream(imei);
      usingFileChannel(imei);
      usingPath(imei);
    } catch (IOException e) {
      e.printStackTrace();
    }
  }

  public static void usingBufferedWritter1(String fileContent) throws IOException
  {
      BufferedWriter writer = new BufferedWriter(new FileWriter("myfile0.txt"));
      writer.write(fileContent);                 // Sensitive Data Written to Local File (Java) warning issued here
      writer.close();
  }
      
  public static void usingBufferedWritter2(String fileContent) throws IOException
  {
      BufferedWriter writer = new BufferedWriter(new FileWriter(Environment.getExternalStorageDirectory()+"myfile1.txt"));
      writer.write(fileContent);                 // "Sensitive Data Written to External Storage" warning issued here 
      writer.close();
  }

  public static void usingFileWriter(String fileContent) throws IOException
  {
      FileWriter fileWriter = new FileWriter("/sdcard/Android/data/myfile2.txt");
      fileWriter.write(fileContent);             // "Sensitive Data Written to External Storage" warning issued here 
      fileWriter.close();
  }
      
  public static void usingPrintWriter(String fileContent) throws IOException
  {
      FileWriter fileWriter = new FileWriter(Environment.getLegacyExternalStorageDirectory()+"myfile3.txt");
      PrintWriter printWriter = new PrintWriter(fileWriter);
      printWriter.print(fileContent);            // "Sensitive Data Written to External Storage" warning issued here 
      printWriter.close();
  }

  public static void usingFileOutputStream(String fileContent) throws IOException
  {
      FileOutputStream outputStream = new FileOutputStream(new File(Environment.getExternalStorageDirectory(),"myfile4.txt"));
      byte[] strToBytes = fileContent.getBytes();
      outputStream.write(strToBytes);            // "Sensitive Data Written to External Storage" warning issued here 
      outputStream.close();
  }

  public static void usingDataOutputStream(String fileContent) throws IOException
  {
      FileOutputStream outputStream = new FileOutputStream(Environment.getLegacyExternalStorageObbDirectory()+"myfile5.txt");
      DataOutputStream dataOutStream = new DataOutputStream(new BufferedOutputStream(outputStream));
      dataOutStream.writeUTF(fileContent);       // "Sensitive Data Written to External Storage" warning issued here 
      dataOutStream.close();
  }
      
  public static void usingFileChannel(String fileContent) throws IOException
  {
      RandomAccessFile stream = new RandomAccessFile(Environment.getExternalStorageDirectory()+"myfile6.txt", "rw");
      FileChannel channel = stream.getChannel();
      byte[] strBytes = fileContent.getBytes();
      ByteBuffer buffer = ByteBuffer.allocate(strBytes.length);
      buffer.put(strBytes);
      buffer.flip();
      channel.write(buffer);                     // "Sensitive Data Written to External Storage" warning issued here 
      stream.close();
      channel.close();
  }

  public static void usingPath(String fileContent) throws IOException
  {
      Path path = Paths.get(Environment.getExternalStorageDirectory()+"myfile7.txt");
      Files.write(path, fileContent.getBytes()); // "Sensitive Data Written to External Storage" warning issued here 
  }
}

関連のある設定ファイルパラメータ

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。