Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: made some significant changes to the code and the prose; please check

Problems may arise An attacker can bypass security checks if defensive copies of untrusted method parameters are made and security decisions are based on these copies. An attacker can sufficiently bypass security checks under such circumstances. An example of an untrusted method argument is an object instance whose class provides a clone() method and the class itself is nonfinalnon-final.

Noncompliant Code Example

This noncompliant code example accepts an untrusted parameter and creates a copy using the clone() method. This is insecure because a copy of the attacker's class is created instead of the system class. Input validation routines may not work as expected when the attacker overrides the getTime() method so that it passes validation when called for the first time, but mutates when it is used a second time. Here, the validateValue() method is required to protect insertion of time data prior to some known time but fails to achieve this purposedefines a validateValue() method that validates a time value.

Code Block
bgColor#FFcccc
private Boolean validateValue(long time) {
  // Perform validation
  return true; // If the time is valid	
}

private void storeDateinDB(java.util.Date date) throws SQLException {
  final java.util.Date copy = (java.util.Date)date.clone();
  if (validateValue(copy.getTime());

) {
    Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>");

    PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
    pstmt.setLong(1, copy.getTime());
    // ...
  } 
}	

The storeDateinDB() method accepts an untrusted date argument and creates a copy using the clone() method. The attacker can override the getTime() method as shown belowso that it passes validation when called for the first time, but provides an unexpected value when it is used a second time.

Code Block
public class MaliciousDate extends java.util.Date {
  private static int count = 0;

  @Override
  public long getTime() {
    java.util.Date d = new java.util.Date();
    return (count++ == 1) ? d.getTime() : d.getTime() - 1000;
  }
  
}

Compliant Solution

This compiant compliant solution creates a new java.util.Date object which is subsequently used for access control checks and insertion into the database.

Code Block
bgColor#ccccff
private void storeDateinDB(java.util.Date datevoid) throws SQLException {
  final java.util.Date copy = new java.util.Date(date.getTime());
  if (validateValue(copy.getTime())); {

    Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>");

    PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
    pstmt.setLong(1, copy.getTime());
    // ...
  }
}	

Risk Assessment

Using the clone() method to copy untrusted parameters can result in the execution of arbitrary codeargument can invalidate security checks.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

MET08-J

high

likely

low

P27

L1

...