By name: cwe-552-files-accessible-externally description: Use this skill when you need to remediate CWE-552 (Files Accessible to External Parties) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing files accessible to external parties issues. version: 1.0.0 license: MIT tags:
- security
- java
- cwe-552
- remediation
- sast
CWE-552 Files Accessible to External Parties
Description
Files Accessible to External Parties
Reference: https://cwe.mitre.org/data/definitions/552.html
OWASP Category: A01:2021 – Broken Access Control
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: Serving files without access control
@GetMapping("/files/{filename}")
public ResponseEntity<Resource> getFile(@PathVariable String filename) {
Path path = Paths.get("/uploads/" + filename);
Resource resource = new FileSystemResource(path);
return ResponseEntity.ok().body(resource);
}
Why it's vulnerable: This pattern is vulnerable to Files Accessible to External Parties
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Validate access and sanitize filename
@GetMapping("/files/{filename}")
public ResponseEntity<Resource> getFile(@PathVariable String filename, Authentication auth) {
// Sanitize filename
String safeName = Paths.get(filename).getFileName().toString();
// Verify user has access
FileMetadata meta = fileService.getMetadata(safeName);
if (!meta.canAccess(auth.getName())) {
throw new AccessDeniedException("Access denied");
}
Path path = uploadDir.resolve(safeName);
return ResponseEntity.ok().body(new FileSystemResource(path));
}
Why it's secure: Implements proper protection against Files Accessible to External Parties
Detection Pattern
Look for these patterns in your codebase:
# Find file serving endpoints
grep -rn "FileSystemResource\\|getFile\\|download" --include="*Controller.java"
Remediation Steps
Validate user authorization before serving files
Sanitize filenames to prevent path traversal
Store files outside web root
Implement access control lists for files
Key Imports
import org.springframework.core.io.FileSystemResource;
import java.nio.file.Paths;
Verification
After remediation:
Run SAST scanner to confirm vulnerability is resolved
Review all instances of the vulnerable pattern
Add unit tests that verify the secure implementation
Check for similar patterns in related code
Trigger Examples
Fix CWE-552 vulnerability
Resolve Files Accessible to External Parties issue
Secure this Java code against files accessible to external parties
SAST reports CWE-552
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07