SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 38

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 39

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Privileges are lost as soon as untrusted code is executed. Even if If trusted code calls some untrusted code that attempts to perform some action requiring permissions not granted by the security policy, the action is not allowed. However, privileged code may use a class that exists in an untrusted container and performs only unprivileged operations. If the attacker replaces this class with a malicious implementation, the trusted code will retrieve incorrect results.

...

This noncompliant code example uses a doPrivileged block and calls a method defined in a class that exists in a different, untrusted package. An attacker can provide an implementation of class RetValue so that the privileged code uses the wrong return value. If class MixMatch trusted only signed code, even then an attacker can cause this behavior by maliciously deploying a legibly signed class and linking it to the privileged code.

Code Block
bgColor#FFcccc
package trusted;
import untrusted.RetValue;

public class MixMatch {
  private void privilegedMethod() throws IOException {
    tryFileInputStream {fis;
    try  FileInputStream fis{
       fis = (FileInputStream) AccessController.doPrivileged(
	       new PrivilegedExceptionAction() {
                 public FileInputStream run() throws FileNotFoundException {
	           return new FileInputStream("file.txt");
	         }
               }
	     );

      RetValue rt = new RetValue();

      if(rt.getValue() == 1) {
	// do something with sensitive file
      }
    } catch (PrivilegedActionException e) {
      // forward to handler and log
    } finally {
      fis.close();
    }

  }

  public static void main(String[] args) throws IOException {
    MixMatch mm = new MixMatch();
    mm.privilegedMethod();
  }
}

package untrusted;

class RetValue {
  public int getValue() {
    return 1;
  }
}

An attacker can provide an implementation of class RetValue so that the privileged code uses the wrong return value. If class MixMatch trusted only signed code, even then an attacker can cause this behavior by maliciously deploying a legibly signed class in the class path of the privileged code.

Compliant Solution

This compliant solution combines all privileged code into the same package and reduces the accessibility of the getValue() method to package-private. Sealing the package is necessary to prevent attackers from inserting any rogue classes.

...