SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 18

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 19

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sealing a JAR file automatically enforces the requirement of keeping privileged code together. In addition, it is important to adhere to SEC05-J. Minimize accessibility of classes and their members.

Noncompliant Code Example

This noncompliant code example uses a doPrivileged block and calls a method defined in a class that exists in a different, untrusted package. An attacker can provide an implementation of class RetValue so that the privileged code uses the wrong return value. If class MixMatch trusted only signed code, even then an attacker can cause this behavior by maliciously deploying a legibly signed class and linking it to the privileged code.

Code Block
bgColor#FFcccc
package trusted;
import untrusted.RetValue;

public class MixMatch {
  private void privilegedMethod() throws IOException {
    try {
      FileInputStream fis
        = (FileInputStream) AccessController.doPrivileged(
	     new PrivilegedExceptionAction() {
               public FileInputStream run() throws FileNotFoundException {
	         return new FileInputStream("file.txt");
	       }
             }
	   );

      RetValue rt = new RetValue();

      if(rt.getValue() == 1) {
	// do something with sensitive file
      }
    } catch (PrivilegedActionException e) {
      // forward to handler and log
    } finally {
      fis.close();
    }

  }

  public static void main(String[] args) throws IOException {
    MixMatch mm = new MixMatch();
    mm.privilegedMethod();
  }
}

package untrusted;

class RetValue {
  public int getValue() {
    return 1;
  }
}

Compliant Solution

This compliant solution combines all privileged code into the same package and reduces the accessibility of the getValue() method to package-private. Sealing the package is necessary to prevent attackers from inserting any rogue classes.

...

Code Block
Name: trusted/ // package name
Sealed: true  // sealed attribute

Risk Assessment

Failure to place all privileged code together, in one package and sealing the package can lead to mix and match attacks.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ENV04- J

high

probable

medium

P12

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\]
\[[Ware 08|AA. Java References#Ware 08]\]
\[[McGraw 00|AA. Java References#Ware 00]\] Rule 7: If You Must Sign Your Code, Put It All in One Archive File (sic)
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data|http://cwe.mitre.org/data/definitions/349.html]

...