Page History

...

This noncompliant code example contains a TOCTOU vulnerability. Because cookie is a mutable input, an attacker can cause the cookie it to expire between the initial check (the hasExpired() call) and the actual use (the doLogic() call).

...

This compliant solution avoids the TOCTOU vulnerability by copying the mutable input and performing all operations on the copy. Consequently, an attacker's changes to the mutable input cannot affect the copy. Acceptable techniques include using a copy constructor or implementing the java.lang.Cloneable interface and declaring a public clone method (for classes not declared final). In cases like HttpCookie where the mutable class is declared final — that is, it cannot provide an accessible copy method — perform a manual copy of the object state within the caller. See rule OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code for more information. Note that any input validation must be performed on the copy and not rather than on the original object.

public final class MutableDemo {
  // java.net.HttpCookie is mutable
  public void useMutableInput(HttpCookie cookie) {
    if (cookie == null) {
      throw new NullPointerException();
    }

    // Create copy
    cookie = (HttpCookie)cookie.clone();

    // Check whether cookie has expired
    if (cookie.hasExpired()) {
      // Cookie is no longer valid, handle condition by throwing an exception
    }

    doLogic(cookie);
  }
}

...

Some copy constructors and clone() methods perform a shallow copy of the original instance. For example, invocation of clone() on an array results in creation of an array instance whose elements have the same values as the original instance. This shallow copy is sufficient for arrays of primitive types but fails to protect against TOCTOU vulnerabilities when the elements are references to mutable objects, such as an array of cookies. In this case, Such cases require a deep copy must be performed that also duplicates the referenced elementsreference objects.

This compliant solution demonstrates correct use both of a shallow copy (for the array of int) and also of a deep copy (for the array of cookies).

...

When the class of a mutable input is non-final, nonfinal or is an interface , an attacker can write a subclass that maliciously overrides the parent class's clone() method. The attacker's clone() method can subsequently subvert defensive copying. This noncompliant code example demonstrates this weakness.

...

This compliant solution protects against potential malicious overriding by creating a new instance of the non-final nonfinal mutable input, using the expected class rather than the class of the potentially malicious provided object. The newly created instance can be forwarded to any code capable of modifying it.

...

Some objects appear to be immutable because they have no mutator methods. For example, the java.lang.CharacterSequenceCharSequence interface describes an immutable sequence of characters. Note, however, that a variable of type CharacterSequence CharSequence is a reference to an underlying object of some other class that implements the CharacterSequence CharSequence interface; that other class may be mutable. When the underlying object changes, the CharacterSequence CharSequence changes. Essentially, the java.lang.CharacterSequenceCharSequence interface omits methods that would permit object mutation through that interface but lacks any guarantee of true immutability. Such objects must still be defensively copied before use. For the case of the java.lang.CharacterSequenceCharSequence interface, one permissible approach is to obtain an immutable copy of the characters by using the toString() method. Mutable fields should not be stored in static variables. When there is no other alternative, create defensive copies of the fields to avoid exposing them to untrusted code.

...

...

...