Alternate way of loading a resource other than getClass().getResourceAsStream() or Resources.Open(“”) in LWUIT(J2ME)

Question

We've just gotten feedback on the security of the J2ME app we delivered, and it seems that Veracode is taking getClass().getResourceAsStream(), called in Resources.Open("/res/resfile.res") as a security flaw.

http://www.cvedetails.com/cwe-details/73/External-Control-of-File-Name-or-Path.html

The problem here is that the resource is not being given by user input but is called in the way I have shown here. However, for some reason, the company we're dealing with won't accept false positives.

Is there any alternate way of loading the resource so that it doesn't use getResourceAsStream and passes the Veracode test?

Take it up with Veracode, and offer to sue them. – user207421 Feb 24 '14 at 08:35 — user207421, Feb 24 '14 at 08:35
Haha. I really wish it was that easy! – Pat Feb 24 '14 at 09:17 — Pat, Feb 24 '14 at 09:17

score 3 · Accepted Answer · answered Feb 24 '14 at 13:01

No there are no other ways of loading internal resources for J2ME. You need to use the getResourceAsStream() on the Class object.

This is not a security flaw. I think Veracode is confused. Looks like they think you're loading an external file from the user SD card or internal phone storage - and that would indeed be a security flaw. But that's not what getResourceAsStream() does.

The only thing you can read using getResourceAsStream() are the files contained inside the JAR you yourself have created.

I think the only thing you can do is try to explain this to Veracode. Because it's definitely not a security flaw.

score 2 · Answer 2 · answered Feb 25 '14 at 18:25

2

You can put all the content of your files inside java-classes. But that is no fun, and it is also not more secure.

answered Feb 25 '14 at 18:25

Meier

3,858
1
17
46

Alternate way of loading a resource other than getClass().getResourceAsStream() or Resources.Open(“”) in LWUIT(J2ME)

2 Answers2