SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user Paul Ruggiero

Saved on

compared with

New Version 79

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot (vkp) v1.0

Methods that can be invoked from untrusted code to modify a static field must synchronize access to that field. That is necessary because there is no guarantee that untrusted clients will externally synchronize when accessing the field. Because a static field is shared by all clients, untrusted clients may violate the contract by failing to provide suitable locking.

Wiki Markup
According to Joshua Bloch \[[Bloch 2008|AA. Java References#Bloch 08]\]

If a method modifies a static field, you must synchronize access to this field, even if the method is typically used only by a single thread. It is not possible for clients to perform external synchronization on such a method because there can be no guarantee that unrelated clients will do likewise.

Documented design intent is irrelevant when dealing with untrusted code because an attacker can always choose to ignore the documentation.

Noncompliant Code Example

This noncompliant code example does not synchronize access to the static counter field.

Code Block
bgColor#FFCCCC
/** This class is not thread-safe */
public final class CountHits {
  private static int counter;

  public void incrementCounter() {
    counter++;
  }
}

This class definition does not violate guideline VNA02-J. Ensure that compound operations on shared variables are atomic, which only applies to classes that promise thread-safety. However, this class has a mutable static counter field that is modified by the publicly accessible incrementCounter() method. Consequently, this class cannot be used securely by trusted client code, if untrusted code can purposely fail to externally synchronize access to the field.

Compliant Solution

This compliant solution uses a static private final lock to protect the counter field and, consequently, does not depend on any external synchronization. This solution also complies with guideline LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code.

Code Block
bgColor#ccccff
/** This class is thread-safe */
public final class CountHits {
  private static int counter;
  private static final Object lock = new Object();

  public void incrementCounter() {
    synchronized (lock) {
      counter++;
    }
  }
}

Risk Assessment

Failing to internally synchronize access to static fields that may be modified by untrusted code will result in incorrectly synchronized code, if the author of the untrusted code chooses to ignore the synchronization policy.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

LCK05-J

low

probable

medium

P4

L3

Automated Detection

TODO

Related Vulnerabilities

Any vulnerabilities resulting from the violation of this rule are listed on the CERT website.

References

Wiki Markup
\[[API 2006|AA. Java References#API 06]\]
\[[Bloch 2008|AA. Java References#Bloch 08]\] Item 67: "Avoid excessive synchronization"

Issue Tracking

Tasklist
Review List
Review List
 
||Completed||Priority||Locked||CreatedDate||CompletedDate||Assignee||Name||

      12. Locking (LCK)