SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 56

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 57

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Java's object cloning mechanism allows an attacker to manufacture new instances of a class , without executing its constructor. The new instances are made by copying the memory images of existing objects rather than by executing its constructor. Often this is not an acceptable way of creating new objects. By misusing An attacker can misuse the clone feature , an attacker can to manufacture multiple instances of a singleton class, create serious thread-safety issues by subclassing and cloning the subclass, bypass security checks within the constructor and violate the invariants of critical data.

...

This noncompliant code example derives some functional behavior from the implementation of the class java.lang.StringBuffer, prior to JDK v1.5. A It defines class SensitiveClass is defined which contains a character array used to internally hold a filename, along with a Boolean shared variable, initialized to false.

...

It proceeds to create its own instance (ms1) and produces a second one (ms2), by cloning the first. It then obtains a new String filename object by invoking the get() method on the first instance. At this point, the shared flag is set to true. As Because the second instance (ms2) does not have its shared flag set to true, it is possible to alter the first instance ms1 using the replace() method. This downplays obviates any security efforts and severely violates the class's invariants.

...

Sensitive classes should not implement the Cloneable interface. If the class Classes that extends from a superclass that implements Cloneable (and is consequently cloneable) , its should provide a clone() method should throw that throws a CloneNotSupportedException. This exception must be caught and handled by the client code. A sensitive class that does not implement Cloneable must also follow this advice because it inherits the clone() method from Object.

Code Block
bgColor#ccccff
final class SensitiveClass {
  // ...
  public SensitiveClass Clone() throws CloneNotSupportedException {
    throw new CloneNotSupportedException();
  }
}

It is also required to declare SensitiveClass SensitiveClass must also be declared final to avoid malicious subclassing. This stops prevents an attacker from subclassing the sensitive class and creating copies of the subclass.

...

Wiki Markup
\[[Mcgraw 1998|AA. Bibliography#Mcgraw 98]\] 
\[[Wheeler 2003|AA. Bibliography#Wheeler 03]\] 10.6. Java 
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 498|http://cwe.mitre.org/data/definitions/498.html] "Information Leak through Class Cloning", [CWE ID 491|http://cwe.mitre.org/data/definitions/491.html] "Public cloneable() Method Without Final (aka 'Object Hijack')"
\[[Wheeler 2003|AA. Bibliography#Wheeler 03]\] 10.6. Java

...

MSC04-J. Do not use Object.equals() to compare cryptographic keys      49. Miscellaneous (MSC)      MSC06-J. Avoid memory leaks