SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Pamela Curtis

Saved on

compared with

New Version 15

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Java's Object cloning mechanism can allow an attacker to manufacture new instances of a class that has been defined without executing its constructor. If a class is not cloneable, the attacker can define a subclass and make the subclass implement the java.lang.Cloneable interface. This lets the attacker create new instances of the class. The new instances of the class are made by copying the memory images of existing objects. Although this is sometimes an acceptable way of making a new object, it often is not.

Noncompliant Code Example

Consider the following class definition. Unless someone knows the secret password, objects cannot be created because the constructor for the class checks for the password stored in some password file.

...

Code Block
bgColor#ffcccc
class Test extends MyPrivacy implements Cloneable{

    public static void somefunction(MyPrivacy obj) {

	try {
            Test t = (Test)obj.clone()
        }catch(Exception e) {
            System.out.println("not cloneable");
        }
        if (t != null)
            t.use(); // Another object instantiated without knowing the password.....
    }
}

Compliant Solution

Classes should be made noncloneable to prevent this from occurring. The following method may be implemented to achieve this.

Code Block
bgColor#ccccff
class MyPrivacy {
    //define class member fields
    //...

    public MyPrivacy(String passwd) {
        String actualPass;
        FileReader fr = new FileReader("Passfile.txt");
        BufferedReader br = new BufferedReader(fr);
        actualPass = br.readLine();
        if(actualPass.equals(passwd)){
            // return normally
        }
        else{
            // exit the program, print an authentication error
            // preventing the class object from being created
        }

    }

    public void use(){
     //
    }

    //...
    public final void clone() throws java.lang.CloneNotSupportedException{
       throw new java.lang.CloneNotSupportedException();
    }
}

Compliant Solution

One can also make a class nonsubclassable. This can be achieved by finalizing a class.

...

  • If the clone method is being overriden, make it final.
  • If the class is reliant on a nonfinal clone method of one of the superclasses, then define the following:
    Code Block
    bgColor#ccccff
    public final void clone() throws java.lang.CloneNotSupportedException {
         super.clone();
}

Risk Assessment

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC05-J

Medium

Probably

medium

8

L2

References

http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html?page=4
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/java.html

...