cwe-732-improper-file-permissions - SKILL.md Agent Skill

name: cwe-732-improper-file-permissions description: Use this skill when you need to remediate CWE-732 (Improper File Permissions) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing improper file permissions issues. version: 1.0.0 license: MIT tags:

security
java
cwe-732
remediation
sast

CWE-732 Improper File Permissions

Description

Improper File Permissions

Reference: https://cwe.mitre.org/data/definitions/732.html

OWASP Category: A01:2021 – Broken Access Control

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: World-readable/writable permissions
File configFile = new File("/app/config/secrets.conf");
configFile.setReadable(true, false);   // World readable!
configFile.setWritable(true, false);   // World writable!
configFile.setExecutable(true, false); // World executable!

// VULNERABLE: 777 permissions
Set<PosixFilePermission> perms = PosixFilePermissions.fromString("rwxrwxrwx");
Files.setPosixFilePermissions(path, perms);

Why it's vulnerable: This pattern is vulnerable to Improper File Permissions

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Owner-only permissions (600 for files, 700 for directories)
Path secretFile = Paths.get("/app/config/secrets.conf");

// Set 600 (owner read/write only)
Set<PosixFilePermission> ownerOnly = EnumSet.of(
    PosixFilePermission.OWNER_READ,
    PosixFilePermission.OWNER_WRITE
);
Files.setPosixFilePermissions(secretFile, ownerOnly);

// For directories: 700 (owner rwx only)
Set<PosixFilePermission> dirPerms = EnumSet.of(
    PosixFilePermission.OWNER_READ,
    PosixFilePermission.OWNER_WRITE,
    PosixFilePermission.OWNER_EXECUTE
);
Files.setPosixFilePermissions(Paths.get("/app/config"), dirPerms);

// Create file with restricted permissions atomically
FileAttribute<Set<PosixFilePermission>> attr =
    PosixFilePermissions.asFileAttribute(ownerOnly);
Files.createFile(secretFile, attr);

Why it's secure: Implements proper protection against Improper File Permissions

Detection Pattern

Look for these patterns in your codebase:

# Find permissive file operations
grep -rn "setReadable.*false\\|setWritable.*false\\|rwxrwxrwx" --include="*.java"

Remediation Steps

Use 600 permissions for sensitive files
Use 700 permissions for sensitive directories
Avoid setReadable/setWritable with 'false' second param
Create files with restricted permissions atomically

Key Imports


import java.nio.file.attribute.PosixFilePermission;

import java.nio.file.attribute.PosixFilePermissions;

import java.nio.file.Files;

Verification

After remediation:

Run SAST scanner to confirm vulnerability is resolved
Review all instances of the vulnerable pattern
Add unit tests that verify the secure implementation
Check for similar patterns in related code

Trigger Examples

Fix CWE-732 vulnerability
Resolve Improper File Permissions issue
Secure this Java code against improper file permissions
SAST reports CWE-732

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

CWE-732: Improper Permission Assignment

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07