CWE-576: EJB Bad Practices: Use of Java I/O

Description

The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

Extended Description

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data."

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Quality Degradation — Notes:

Potential Mitigations

Implementation: Do not use Java I/O when writing EJBs. (N/A)

Applicable Platforms

Java (N/A, Undetermined)

Demonstrative Examples

Intro: The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. In this example, the interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Java I/O API to retrieve the XML document from the local file system.

Body: This use of the Java I/O API within any kind of Enterprise JavaBean violates the EJB specification by using the java.io package for accessing files within the local filesystem.

@Stateless public class InterestRateBean implements InterestRateRemote { private Document interestRateXMLDocument = null; private File interestRateFile = null; public InterestRateBean() { try { /* get XML document from the local filesystem */ interestRateFile = new File(Constants.INTEREST_RATE_FILE); if (interestRateFile.exists()) { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilder db = dbf.newDocumentBuilder(); interestRateXMLDocument = db.parse(interestRateFile); } } catch (IOException ex) {...} } public BigDecimal getInterestRate(Integer points) { return getInterestRateFromXML(points); } /* member function to retrieve interest rate from XML document on the local file system */ private BigDecimal getInterestRateFromXML(Integer points) {...} }

Notes

No notes available.

← Back to CWE list