...
For non-final classes, the method that performs the security manager check must be invoked as an argument to a private constructor to ensure that the security check is performed before any superclass's constructor can exit. For an example of this technique, see rule OBJ11-J. Be wary of letting constructors throw exceptions.
A method that receives an untrusted, nonfinal input argument must beware that other methods or threads might concurrently modify the input object. Some methods attempt to prevent modification by making a local copy of the input object. This is insufficient because a shallow copy of an object can still allow it to refer to mutable subobjects, that can be modified by other methods or threads. Some methods go further and perform a deep copy of the input object. Although this mitigates the problem of modifiable subobjects, the method could still receive as an argument a mutable object that extends the input object class and provides inadequate copy functionality.
Noncompliant Code Example (BigInteger)
...
| Code Block | ||
|---|---|---|
| ||
final class BigInteger {
// ...
}
|
Compliant Solution (Class Sanitization)
The instances of nonfinal classes obtained from untrusted sources must be used with care because their methods might be overridden by malicious methods. This potential vulnerability can be mitigated by making defensive copies of the acquired instances prior to use. This compliant solution demonstrates this technique for a BigInteger argument [Bloch 2008].
| Code Block | ||
|---|---|---|
| ||
public static BigInteger safeInstance(BigInteger val) {
// create a defensive copy if it is not java.math.BigInteger
if (val.getClass() != java.math.BigInteger.class) {
return new BigInteger(val.toByteArray());
}
return val;
}
|
...
Compliant Solution (Java SE 6, Public and Private Constructors)
...