Untrusted code can misuse APIs provided by trusted code by overriding methods such as Object.equals(), Object.hashCode() and Thread.run(). These methods are primarily targeted because they are most often used behind the scenes and may interact with components in a way that is not clearly easily discernible.
By providing overridden implementations, untrusted code may be able to glean sensitive information, cause arbitrary code to run and expose denial of service vulnerabilities.
...
The programmer expects Parent and Child to be printed, however, Child is printed twice. This is because the overridden method run() is invoked both the times when a new thread is started.
Compliant Solution
Modify the SubWorker class and remove the call to super.startThread().
| Code Block | ||
|---|---|---|
| ||
public class SubWorker extends Worker {
@Override
public void startThread(String name) {
new Thread(this, name).start();
}
// ...
} |
Modify the client to start the parent and child threads separately
| Code Block |
|---|
Worker w1 = new Worker();
w1.startThread("parent-thread");
Worker w2 = new SubWorker();
w2.startThread("child-thread"); |
Related Guidelines
| SCG 2013 | Guideline 6-5: Do not trust identity equality when overridable on input reference objects |
Bibliography
| [API 2011] | Class IdentityHashMap |
| Need to add | http://markmail.org/message/4scermxmn5oqhyii |
...