...
This noncompliant code example defines class SensitiveClass, which contains a character array used to internally hold a file name, along with a Boolean shared variable, initialized to false. This data is not meant to be copied; consequently, SensitiveClass lacks a copy constructor.
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass {
private char[] filename;
private Boolean shared = false;
SensitiveClass(String filename) {
this.filename = filename.toCharArray();
}
final void replace() {
if (!shared) {
for(int i = 0; i < filename.length; i++) {
filename[i]= 'x' ;}
}
}
final String get() {
if (!shared) {
shared = true;
return String.valueOf(filename);
} else {
throw new IllegalStateException("Failed to get instance");
}
}
final void printFilename() {
System.out.println(String.valueOf(filename));
}
}
|
...
The malicious class creates an instance ms1 and produces a second instance ms2 by cloning the first. It then obtains a new String filename object by invoking the get() method on the first instance. At this point, the shared flag is set to true. Because the second instance ms2 does not have its shared flag set to true, it is possible to alter the first instance ms1 using the replace() method. This obviates any security efforts and severely violates the class's invariants.
...
Sensitive classes should neither implement the Cloneable interface nor provide a copy constructor. Sensitive classes that extend from a superclass that implements Cloneable (and are cloneable as a result) must provide a clone() method that throws a CloneNotSupportedException. This exception must be caught and handled by the client code. A sensitive class that does not implement Cloneable must also follow this advice because it inherits the clone() method from Object. The class can prevent subclasses from being made cloneable by defining a final clone() method that always fails.
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass {
// ...
public final SensitiveClass clone()
throws CloneNotSupportedException {
throw new CloneNotSupportedException();
}
}
|
This class fails to prevent malicious subclasses but does protect the data in SensitiveClass. Its methods are protected by being declared final. For more information on how to handle handling malicious subclasses, see rule OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c3319ae528304aac-3989ed72-43504c7c-ab1b8863-cfb31834350a29ef366206fc"><ac:plain-text-body><![CDATA[ | [[McGraw 1998 | AA. Bibliography#Mcgraw 98]] | Twelve rules for developing more secure Java code | ]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="79b7350806499585-89b2de02-44ac4f7f-b816ba57-a9c5c2d7dc67fb40eabacf5b"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE-498 | http://cwe.mitre.org/data/definitions/498.html]. Cloneable class containing sensitive information; [CWE-491 | http://cwe.mitre.org/data/definitions/491.html]. Public | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="587b865ea5f0d18a-8ea46128-45024cd8-a62ebe09-434c8820a2193365c1b3337c"><ac:plain-text-body><![CDATA[ | [[Wheeler 2003 | AA. Bibliography#Wheeler 03]] | 10.6, Java | ]]></ac:plain-text-body></ac:structured-macro> |
...