Alternate way of loading a resource other than getClass().getResourceAsStream() or Resources.Open(“”) in LWUIT(J2ME)

StackOverflow https://stackoverflow.com/questions/21981721

  •  15-10-2022
  •  | 
  •  

Question

We've just gotten feedback on the security of the J2ME app we delivered, and it seems that Veracode is taking getClass().getResourceAsStream(), called in Resources.Open("/res/resfile.res") as a security flaw.

http://www.cvedetails.com/cwe-details/73/External-Control-of-File-Name-or-Path.html

The problem here is that the resource is not being given by user input but is called in the way I have shown here. However, for some reason, the company we're dealing with won't accept false positives.

Is there any alternate way of loading the resource so that it doesn't use getResourceAsStream and passes the Veracode test?

Was it helpful?

Solution

No there are no other ways of loading internal resources for J2ME. You need to use the getResourceAsStream() on the Class object.

This is not a security flaw. I think Veracode is confused. Looks like they think you're loading an external file from the user SD card or internal phone storage - and that would indeed be a security flaw. But that's not what getResourceAsStream() does.

The only thing you can read using getResourceAsStream() are the files contained inside the JAR you yourself have created.

I think the only thing you can do is try to explain this to Veracode. Because it's definitely not a security flaw.

OTHER TIPS

You can put all the content of your files inside java-classes. But that is no fun, and it is also not more secure.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top