Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5847

Accessing files should not introduce TOCTOU vulnerabilities

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Remove this TOCTOU race condition window when accessing files.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      C, C++, Objective-C
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • CERT:
      FIO45-C.
    • CWE:
      CWE-367
    • OWASP:
      A5

      Description

      "Time Of Check to Time Of Use" (TOCTOU) vulnerabilities occur when an application:

      • First, checks permissions or attributes of a file: for instance, is a file a symbolic link?
      • Next, performs some operations such as writing data to this file.

      The application cannot assume the state of the file is unchanged between these two steps, there is a race condition (ie: two different processes can access and modify the same shared object/file at the same time, which can lead to privilege escalation, denial of service and other unexpected results).

      For instance, attackers can benefit from this situation by creating a symbolic link to a sensitive file directly after the first step (eg in Unix: /etc/passwd) and try to elevate their privileges (eg: if the written data has the correct /etc/passwd file format).

      To avoid TOCTOU vulnerabilities, one possible solution is to do a single atomic operation for the "check" and "use" actions, therefore removing the race condition window. Another possibility is to use file descriptors. This way the binding of the file descriptor to the file cannot be changed by a concurrent process.

      See

        Attachments

          Issue Links

          1.
          C-Family RSPEC-5848 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              eric.therond Eric Therond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: