Skills
skills/developerscoffee/java-cwe-security-skills/cwe-552-files-accessible-externally

cwe-552-files-accessible-externally

SKILL.md

CWE-552 Files Accessible to External Parties

Description

Files Accessible to External Parties

Reference: https://cwe.mitre.org/data/definitions/552.html

OWASP Category: A01:2021 – Broken Access Control

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Serving files without access control
@GetMapping("/files/{filename}")
public ResponseEntity<Resource> getFile(@PathVariable String filename) {
    Path path = Paths.get("/uploads/" + filename);
    Resource resource = new FileSystemResource(path);
    return ResponseEntity.ok().body(resource);
}

Why it's vulnerable: This pattern is vulnerable to Files Accessible to External Parties

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Validate access and sanitize filename
@GetMapping("/files/{filename}")
public ResponseEntity<Resource> getFile(@PathVariable String filename, Authentication auth) {
    // Sanitize filename
    String safeName = Paths.get(filename).getFileName().toString();
    // Verify user has access
    FileMetadata meta = fileService.getMetadata(safeName);
    if (!meta.canAccess(auth.getName())) {
        throw new AccessDeniedException("Access denied");
    }
    Path path = uploadDir.resolve(safeName);
    return ResponseEntity.ok().body(new FileSystemResource(path));
}

Why it's secure: Implements proper protection against Files Accessible to External Parties

Detection Pattern

Look for these patterns in your codebase:

# Find file serving endpoints
grep -rn "FileSystemResource\\|getFile\\|download" --include="*Controller.java"

Remediation Steps

  1. Validate user authorization before serving files

  2. Sanitize filenames to prevent path traversal

  3. Store files outside web root

  4. Implement access control lists for files

Key Imports


import org.springframework.core.io.FileSystemResource;

import java.nio.file.Paths;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-552 vulnerability
Resolve Files Accessible to External Parties issue
Secure this Java code against files accessible to external parties
SAST reports CWE-552

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1