SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 83

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 84

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Mutable classes allow code external to the class to alter their instance or class fields. Provide means for creating copies of mutable classes so that 'disposable' instances of such classes can be passed to untrusted code. This functionality is useful when methods in other classes need to create copies of the particular class instance; see guidelines "FIO00-J. Defensively copy mutable inputs and mutable internal components" and "OBJ09-J. Defensively copy private mutable class members before returning their references" for additional details.

Mutable classes must provide either a copy constructor or a public static factory method that returns a copy of an instance. Alternatively, final classes may advertise their copy functionality by overriding the clone() method of java.lang.Object's clone() method. Use of the clone() method is secure only for final classes; non-final classes must not take this approach.

Trusted callers can be trusted to use the provided copy functionality to make defensive copies before passing object instances to untrusted code. Untrusted callers cannot be trusted to make such defensive copies. Consequently, providing copy functionality does not obviate the need for making defensive copies either of inputs received from, or of outputs that are returned to, untrusted code.

...

When a trusted caller passes an instance of MutableClass to untrusted code, and the untrusted code modifies that instance (perhaps by incrementing the month or changing the timezone), the state of the object can be made inconsistent with respect to its previous state. Similar problems can arise in the presence of multiple threads, even in the absence of untrusted code.

...

This compliant solution provides the needed copy functionality by declaring MutableClass to be final, and by implementing the Cloneable interface, and providing an Object.clone() method that performs a deep copy of the object.

...

When untrusted code can call accessor methods passing mutable arguments, create defensive copies of the arguments before they are stored in any instance fields. See guideline "FIO00-J. Defensively copy mutable inputs and mutable internal components" for additional information. When retrieving internal mutable state, make a defensive copy of that state before returning it to untrusted code. See guideline "OBJ09-J. Defensively copy private mutable class members before returning their references" for additional information.

Defensive copies are unnecessary if untrusted code always invokes an object's clone() method on a mutable state received from mutable classes and then operated only on the cloned copy. Unfortunately, untrusted code has little incentive to do so, and malicious code has every incentive to misbehave. This compliant solution both provides a clone() method to trusted code and also guarantees that the state of the object cannot be compromised when the accessor methods are called directly from untrusted code.

Compliant Solution (clone() with final members)

When a mutable class' s instance fields are declared final and lack accessible copy methods, provide a clone() method, as shown in this compliant solution.

...

Wiki Markup
Callers can use the {{clone()}} method to obtain an instance of such a mutable class. The {{clone()}} method must create a new instance of the {{final}} member class and copy the original state to it. The new instance is necessary because nothere might not be an accessible copy method may be available in the member class. If the member class evolves in the future, it is critical to include the new state in the manual copy. Finally, the {{clone()}} method must create and return a new instance of the enclosing class ({{MutableClass}}) using the newly created member instance ({{d}}) \[[SCG 2007|AA. Bibliography#SCG 07]\].

Mutable classes that define a clone() method must be declared final.

Exceptions

OBJ08-EX0EX1: Sensitive classes should not be cloneable, as per guideline "OBJ03-J. Sensitive classes must not let themselves be copied."

Risk Assessment

Creating a mutable class without without providing copy functionality may can result in the data of its instance becoming corrupted when the instance is passed to untrusted code.

...

Sound automated detection appears to be infeasible in the general case. Heuristic approaches may could be useful.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] [method clone()|http://java.sun.com/javase/6/docs/api/java/lang/Object.html#clone()]
\[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 39: Make defensive copies when needed and Item 11: Override clone judiciously
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 374|http://cwe.mitre.org/data/definitions/374.html] "Mutable Objects Passed by Reference", [CWE ID 375|http://cwe.mitre.org/data/definitions/375.html] "Passing Mutable Objects to an Untrusted Method"\[[Security 2006|AA. Bibliography#Security 06]\]
\[[SCG 2007|AA. Bibliography#SCG 07]\] Guideline 2-2 Support copy functionality for a mutable class
\[[SCG 2009|AA. Bibliography#SCG 09]\] Guideline 2-3 Support copy functionality for a mutable class

...