...
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass {
private char[] filename;
private Boolean shared = false;
protected SensitiveClass(String filename) {
this.filename = filename.toCharArray();
}
protected void replace(){
if(!shared)
for(int i=0;i<filenamei<filename.length;i++) {
filename[i]= 'x';
}
}
protected String get(){
if(!shared){
shared = true;
return String.valueOf(filename);
} else {
throw new Error(""Error getting instance"");
}
}
protected void printFilename(){
System.out.println(String.valueOf(filename));
}
}
class MaliciousSubclass extends SensitiveClass implements Cloneable {
protected MaliciousSubclass(String filename) {
super(filename);
}
@Override public MaliciousSubclass clone() { // Well-behaved clone() method
MaliciousSubclass s = null;
try {
s = (MaliciousSubclass)super.clone();
} catch(Exception e) {
System.out.println(""not cloneable"");
}
return s;
}
public static void main(String[] args){
MaliciousSubclass ms1 = new MaliciousSubclass(""file.txt"");
MaliciousSubclass ms2 = ms1.clone(); // Creates a copy
String s = ms1.get(); // Returns filename
System.out.println(s); // Filename is ""file.txt""
ms2.replace(); // Replaces all characters with x'
// Both ms1.get() and ms2.get() will subsequently return filename = 'xxxxxxxx'
ms1.printFilename(); // Filename becomes 'xxxxxxxx'
ms2.printFilename(); // Filename becomes 'xxxxxxxx'
}
}
|
...
| Wiki Markup |
|---|
\[[Mcgraw 98|AA. Java References#Mcgraw 98]\] \[[Wheeler 03|AA. Java References#Wheeler 03]\] 10.6. Java \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 498|http://cwe.mitre.org/data/definitions/498.html] ""Information Leak through Class Cloning"", [CWE ID 491|http://cwe.mitre.org/data/definitions/491.html] ""Public cloneable() Method Without Final (aka 'Object Hijack')"" |
...
IDS07MSC31-J. Understand how escape characters are interpreted when String literals are compiled Never hardcode sensitive information 49. Miscellaneous (MSC) MSC33-J. Do not modify the underlying collection when an iteration is in progress