When security Security checks are based on untrusted sources , those sources could be compromised in such a way that the security check could be can be bypassed. The untrusted object or parameter should be defensively copied before the security check is carried outperformed. The copy operation must be a deep copy; the implementation of the clone() method may produce a shallow copy, which could can still be compromised. FurtherIn addition, the implementation of the clone() method can be provided by the attacker. See guidelines MET08-J. Do not use the clone method to copy untrusted method parameters and FIO00-J. Defensively copy mutable inputs and mutable internal components for more information.
...
This noncompliant code example describes a security vulnerability from the JDK 5.0 software. At the time java.io package. In this release, java.io.File was non-final, allowing an attacker to supply an untrusted value as a parameter which was constructed by extending the legitimate java.io.File class. In this waymanner, the getPath() method could can be overridden so that the security check passes the first time it is called but the value mutates changes the second time to refer to a sensitive file such as /etc/passwd. This is a time-of-check-time-of-use (TOCTOU) vulnerability.
...
| Code Block |
|---|
public class BadFile extends java.io.File {
private int count;
public String getPath() {
return (++count == 1) ? "/tmp/foo" : "/etc/passwd";
}
}
|
Compliant Solution
Security checks should not be based on untrusted sources. This compliant solution ensures that the java.io.File object can be trusted because
...
. First, its reference is declared to be final
...
preventing an attacker from modifying the reference to substitute a different object.
...
Second, the solution creates a new java.io.File object using the standard java.io.File constructor. This ensures that any methods
...
invoked on the File object are the standard library methods rather than overriding methods potentially provided by the attacker.
Note that using the clone() method instead of the openFile() method would copy the attacker's class, which is not desirable. (Refer to guideline MET08-J. Do not use the clone method to copy untrusted method parameters.)
| Code Block | ||
|---|---|---|
| ||
public RandomAccessFile openFile(java.io.File f) {
final java.io.File copy = new java.io.File(f.getPath());
askUserPermission(copy.getPath());
// ...
return (RandomAccessFile)AccessController.doPrivileged() {
public Object run() {
return new RandomAccessFile(copy.getPath());
}
}
}
|
Note that using the clone() method instead of the openFile() method would copy the attacker's class, which is not desirable. (Refer to guideline MET08-J. Do not use the clone method to copy untrusted method parameters.)
Risk Assessment
Basing security checks on untrusted sources can result in the check being bypassed.
...