SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 110

changes.mady.by.user G. Ann Campbell

Saved on

compared with

New Version 111

changes.mady.by.user Alexandre GIGLEUX

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Allowing a constructor to call overridable methods can provide an attacker with access to the this reference before an object is fully initialized, which could lead to a vulnerability.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MET05-J

Medium

Probable

Medium

P8

L2

Automated Detection

Automated detection of constructors that contain invocations of overridable methods is straightforward.

ToolVersionCheckerDescription
SonarQube
Include Page
SonarQube_V
SonarQube_V
S1699
Implemented

...

Constructors should only call non-overridable methods


Related Guidelines

ISO/IEC TR 24772:2010

Inheritance [RIP]

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 7-4 / OBJECT-4: Prevent constructors from calling methods that can be overridden

Bibliography

[ESA 2005]

Rule 62, Do not call nonfinal methods from within a constructor

[JLS 2015]

Chapter 8, "Classes"
§12.5, "Creation of New Class Instances"

[Rogue 2000]

Rule 81, Do not call non-final methods from within a constructor

...


...