SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 41

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 42

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed to Applicability

...

Code Block
bgColor#ccccff
interface UnmodifiableInterface {
  SensitiveMutable unmodifiableView(SensitiveMutable sm);
}

class UnmodifiableSensitiveMutable extends SensitiveMutable  {
  int[] array = new int[10];

  public void setArray(int[] i) {
    throw new UnsupportedOperationException();
  }
}

class UnmodifiableWrapper extends UnmodifiableSensitiveMutable implements UnmodifiableInterface {
  public SensitiveMutable unmodifiableView(SensitiveMutable sm) { 
    return new UnmodifiableWrapper(); // subtype of SensitiveMutable
  }
}

class Invoker {
  public static void main(String[] args) {
    UnmodifiableWrapper uw = new UnmodifiableWrapper();
    SensitiveMutable s = uw.unmodifiableView(sm);
    s.setArray(new int[10]); // throws UnsupportedOperationException unlike s.getArray()    
  }
}

...

Applicability

Failure to provide an unmodifiable safe-view of a sensitive mutable object to untrusted code can lead to malicious tampering and corruption of the object.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SEC59-JG

medium

probable

high

P4

L3

Automated Detection

Automated detection is not feasible.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

[Tutorials 2008] Unmodifiable Wrappers

...