...
One commonly suggested solution is to place code at each point where the superclass can be instantiated to ensure that the instance being created has the same type as the superclass. When the type is found to be that of a subclass rather than the superclass's type, the checking code performs a security manager check to ensure that malicious classes cannot misuse the superclass. This approach is insecure because it allows a malicious class to add a finalizer and obtain a partially initialized instance of the superclass. This attack is detailed in guideline rule "OBJ05-J. Prevent access to partially initialized objects."
...
This malicious BigInteger class is clearly mutable because of the setValue() method. Furthermore, the modPow() method is subject to precision loss. (See guidelines rules "NUM00-J. Detect or prevent integer overflow," "NUM11-J. Check floating-point inputs for exceptional values," "NUM15-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data," and "NUM17-J. Beware of precision loss when converting primitive integers to floating-point" for more information.) Any code that receives an object of this class and assumes that the object is immutable will have unexpected behavior. This is particularly important because the BigInteger.modPow() method has several useful cryptographic applications.
...
| Wiki Markup |
|---|
This noncompliant code example installs a security manager check in the constructor of the {{BigInteger}} class. The security manager denies access when it detects that a subclass without the requisite permissions is attempting to instantiate the superclass \[[SCG 2007|AA. Bibliography#SCG 07]\]. It also compares class types, in compliance with guidelinerule "[OBJ06-J. Compare classes and not class names|OBJ06-J. Compare classes and not class names]." |
...
Unfortunately, throwing an exception from the constructor of a non-final class is insecure because it allows a finalizer attack. (See guideline rule "OBJ05-J. Prevent access to partially initialized objects.")
...
| Code Block | ||
|---|---|---|
| ||
public static BigInteger safeInstance(BigInteger val) {
// create a defensive copy if it is not java.math.BigInteger
if (val.getClass() != java.math.BigInteger.class)
return new BigInteger(val.toByteArray());
return val;
}
|
The guidelines rules "FIO00-J. Defensively copy mutable inputs and mutable internal components" and "OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely" discuss defensive copying in great depth.
...
This compliant solution invokes a security manager check as a side-effect of computing the boolean value passed to a private constructor (as seen in guideline rule "OBJ05-J. Prevent access to partially initialized objects"). The rules for order of evaluation require that the security manager check must execute before invocation of the private constructor. Consequently, the security manager check also executes before invocation of any superclass's constructor. Note that the security manager check is made without regard to whether the object under construction has the type of the parent class or the type of a subclass (whether trusted or not).
...
Permitting a non-final class or method to be inherited without checking the class instance allows a malicious subclass to misuse the privileges of the class.
Guideline Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ00-J | medium | likely | medium | P12 | L1 |
...