Application code that calls security-sensitive methods must validate the arguments being passed to the methods. In particular, null values may be interpreted as benign by certain security-sensitive methods and may override default settings. Although security critical -sensitive methods must be coded defensively in the first place, sometimes the onus is must be on the client code to validate and provide the arguments it provides. Failure to do so can result in privilege escalation and execution of arbitrary code.
...
This noncompliant code example shows the two-argument doPrivileged() method that which takes an access control context as the second argument. The construct allows changing privileges to that of a previously saved context.
| Code Block | ||||
|---|---|---|---|---|
| ||||
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
// ...
}
}, accessControlContext); |
A null access A null access control context means that the privileges would not be reduced to those of the previously saved context. Consequently, this code may grant excess privileges if accessControlContext is null. If AccessController.doPrivileged() is intended to be called with a null access control context, it should be explicitly passed the null constant.
Compliant Solution
This compliant solution ...prevents excess privileges from being granted by ensuring that accessControlContext is not null.
| Code Block | ||||
|---|---|---|---|---|
| ||||
if (accessControlContext == null) {
throw new SecurityException("Missing AccessControlContext");
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
// ...
}
}, accessControlContext); |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
System.setSecurityManager(new SecurityManager()); |
Applicability
Bibliography
| [TODO] | https://www.cigital.com/justice-league-blog/2009/08/14/proper-use-of-javas-securerandom/ |
|
...