SV.IL.FILE

This error appears when a file name is printed back to the user, either as an internal file name or temporary file name.

Vulnerability and risk

A file name printed back to the user can be used by an attacker to predict other file names, for example to predict the next name of a temporary file. This information can then be used for unauthorized access, such as viewing other users' secret data. It also releases the directory structure, which allows an attacker to create a path manipulation attack if the code has a path injection vulnerability. Also called "path disclosure" vulnerability.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Never print the full or temporary file name back to a user. For debug purposes use the server log, not the user's screen.

Example 1

Copy
     protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         // use user Name as the unique prefix
         String debug = req.getParameter("debug");
         File file = File.createTempFile("tempfile", ".tmp");
         if (debug.equals("true")) {
             resp.getOutputStream().print("Using " + file.toString());
         }
         // ...
         file.delete();
     }

SV.IL.FILE is reported for line 17: leaking name of temporary file 'file' created on line 15. This is sensitive information that can be used by an attacker to predict the location of other files to achieve unauthorized access.

Security training

Application security training materials provided by Secure Code Warrior.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.