SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 61

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 62

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Non-final Nonfinal member methods that perform security checks can be compromised when a malicious subclass overrides the methods and omits the checks. Consequently, such methods must be declared private or final to prevent overriding.

Noncompliant Code Example

This noncompliant code example allows a subclass to override the readSensitiveFile() method and omit the required security check.:

Code Block
bgColor#FFcccc
public void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    }
    // Access the file
  } catch (SecurityException se) {
    // Log exception
  }
}

...

This compliant solution prevents overriding of the readSensitiveFile() method by declaring it final.:

Code Block
bgColor#ccccff
public final void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    }
    // Access the file
  } catch (SecurityException se) {
    // Log exception
  }
}

...

This compliant solution prevents overriding of the readSensitiveFile() method by declaring it private.:

Code Block
bgColor#ccccff
private void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    }
    // Access the file
  } catch (SecurityException se) {
    // Log exception
  }
}

...

MET03-EX0: Classes that are declared final are exempt from this rule because their member methods cannot be overridden.

...

Failure to declare a class's method private or final affords the opportunity for a malicious subclass to bypass the security checks performed in the method.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MET03-J

mediumMedium

probableProbable

mediumMedium

P8

L2

Android Implementation Details

On Android, System.getSecurityManager() is not used, and the use of a Security Manager security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.

...

[Ware 2008]

IH.2.b.b. Declare methods that enforce SecurityManager checks final -- especially final—especially in non-final classes.

 

...

      Rule 06: Methods (MET)