When security checks are based on untrusted sources, those sources could be compromised in such a way that the security check could be bypassed. The untrusted object or parameter should be defensively copied before the security check is carried out. The copy operation must be a deep copy; the implementation of the clone() method may produce a shallow copy, which could still be compromised. Further, the implementation of the clone() method may can be provided by the attacker. See guidelines MET08-J. Do not use the clone method to copy untrusted method parameters and FIO00-J. Defensively copy mutable inputs and mutable internal components for more information.
...
Security checks should not be based on untrusted sources. This compliant solution ensures that the java.io.File object can be trusted , because:
- Our our reference to it is declared to be
final. Thus, we know that the attacker cannot modify the reference and substitute a different object. - We we create our own new
java.io.Fileobject using the standardjava.io.Fileconstructor. This ensures that any methods we invoke on theFileobject are the standard library methods rather than overriding methods potentially provided by the attacker.
...
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
MITRE CWE: CWE-302 "Authentication Bypass by Assumed-Immutable Data"
Bibliography
| Wiki Markup |
|---|
\[[Sterbenz 2006|AA. Bibliography#Sterbenz 06]\] \[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 302|http://cwe.mitre.org/data/definitions/302.html] "Authentication Bypass by Assumed-Immutable Data" |
...
SEC08-J. Protect sensitive operations with security manager checks 02. Platform Security (SEC) SEC10-J. Define custom security permissions for fine grained security