SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 13

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 14

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: filled out CS

...

Code Block
bgColor#ccccff
langjava
public interface CallBack {
  void callMethod();
}
  
class UserLookupCallBack implements CallBack {
  //private int uid and name fields, other code

  public;
  private String name;
 
  public UserLookupCallBack(int uid) {
    this.uid = uid;
  }
 
  public String getName() {
    return name;
  }
 
public void callMethod() {
    AccessController.doPrivileged(new PrivilegedAction<Void>() {
        public Void run() {
          try (InputStream fis = new FileInputStream("/etc/passwd")) {
            // Look up userid & assign to UserLookupCallBack.this.name
          } catch (IOException x) {
            UserLookupCallBack.this.name = null;
          }
          return null;
        }
      });
  }
}
 
class Client {
  // ... rest of UserLookupCallBack unchanged
}
 
class Client {CallBack callback;
 
  public void registerCallBack(CallBack callback) {
    this.callback = callback;
  }
  
  public void doSomething() {
    callback.callMethod();
  }
 
  public static void main(String[] args) {
    int uid = Integer.parseInt(args[0]);
 
    Client client = new Client();
    CallBack callBack = new UserLookupCallBack(uid);
 
    client.registerCallBack(callBack);
    // ...
    client.doSomething(); // Looks up user name
    System.out. rest of Client unchanged
}
println("User " + uid + " is named " + callBack.getName());
  }
}

Applicability

Exposing sensitive methods through callbacks can result in misuse of privileges and arbitrary code execution.

...