SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 55

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 56

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

One suggestion is that at all points where the class can be instantiated, there must be checks to ensure that the instance being created has the same type as the class. If the type is found to be that of a subclass instead of the non-final public superclass's type, a security manager check can be performed to ensure that malicious classes cannot misuse the class. This approach is insecure because it allows a malicious class to add a finalizer and obtain a partially initialized instance of the class. (See guideline OBJ04-J. Do not allow access to partially initialized objects to be accessed.) For non-final classes, the method that performs the security manager check must be passed as an argument to a private constructor so that Object's constructor does not exit before the security check is performed.

...

However, throwing an exception from the constructor is a non-final class is insecure because it allows a finalizer attack. (See guideline OBJ04-J. Do not allow access to partially initialized objects to be accessed.)

This noncompliant code example complies with guideline OBJ06-J. Compare classes and not class names because it compares class types and not class names.

...

Irrespective of whether it is a trusted instance or an untrusted one, install a security manager check using the technique described in guideline OBJ04-J. Do not allow access to partially initialized objects to be accessed.

Code Block
bgColor#ccccff
public class NonFinal {
  public NonFinal() {
    this(securityManagerCheck()); // throws a security exception if not allowed
    // ...
  }
  
  private NonFinal(boolean securityManagerCheck) {
    // No statements required	  
  }

  private static boolean securityManagerCheck() {
    // Perform security check	  
  }
}

...

Wiki Markup
\[[McGraw 2000|AA. Bibliography#McGraw 00]\] Chapter Seven Rule 3: "Make Everything Final, Unless There's a Good Reason Not To"
\[[Lai 2008|AA. Bibliography#Lai 08]\]
\[[SCG 2007|AA. Bibliography#SCG 07]\] Guideline 1-2 "Limit the extensibility of classes and methods"
\[[Gong 2003|AA. Bibliography#Gong 03]\] Chapter 6: "Enforcing Security Policy"
\[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 1: "Consider static factory methods instead of constructors"

...

OBJ04-J. Do not allow access to partially initialized objects to be accessed      08. Object Orientation (OBJ)      OBJ06-J. Compare classes and not class names