Veracode Cryptographic Issue: CWE ID:311
Description: The application exposes potentially sensitive data by passing it into a function unencrypted. This could allow private data such as cryptographic keys or other sensitive information to be erroneously exposed.
Recommendations: Ensure that the application protects all sensitive data from unnecessary exposure.
Error pointed on: [[NSFileManager defaultManager] setAttributes:@{NSFileModificationDate: [NSDate date]} ofItemAtPath:path error:nil];
Any suggestions, how to fix this issue ?
- (NSData*)loadContentsFromSecureFile:(NSString*)name ofType:(HCFileType)type
{
NSString *path = [self pathForFile:name ofType:type];
NSData *encryptedData = [NSData dataWithContentsOfFile:path];
if (encryptedData == nil) {
DebugLog(@"No secure data found: %@", path);
return nil;
}
NSData *data = [encryptedData AES256DecryptWithKey:[self.profile getFileKeyBytes]];
if (data == nil) {
DebugLog(@"Unable to decrypt data, deleting: %@", path);
[[NSFileManager defaultManager] removeItemAtPath:path error:nil];
return nil;
}
// Error pointed on this below line.
[[NSFileManager defaultManager] setAttributes:@{NSFileModificationDate: [NSDate date]} ofItemAtPath:path error:nil];
return data;
}
Try adding attributes with permission as username, that will restrict anyone to read write file.
// Error pointed on this line
NSDictionary *attrib = [NSDictionary dictionaryWithObjectsAndKeys:
[NSNumber numberWithInt:0], NSFileGroupOwnerAccountID,
[NSNumber numberWithInt:0], NSFileOwnerAccountID,
@"username", NSFileGroupOwnerAccountName,
@"username", NSFileOwnerAccountName, NSFileModificationDate, [NSDate date]];
[[NSFileManager defaultManager] setAttributes:attrib ofItemAtPath:path error:nil];