...
Java's object cloning mechanism allows an attacker to manufacture new instances of a class by copying the memory images of existing objects rather than by executing the class's constructor. Often this is an unacceptable way of creating new objects. An attacker can misuse the clone feature to manufacture multiple instances of a singleton class, create serious thread-safety issues by subclassing and cloning the subclass, bypass security checks within the constructor, and violate the invariants of critical data.
...
Classes that are not sensitive , but maintain other invariants must be sensitive to the possibility of malicious subclasses accessing or manipulating their data and possibly invalidating their invariants. See guideline "OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely" for more information.
...
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass {
private char[] filename;
private Boolean shared = false;
SensitiveClass(String filename) {
this.filename = filename.toCharArray();
}
final void replace() {
if (!shared)
for(int i = 0; i < filename.length; i++) {
filename[i]= 'x';
}
}
final String get() {
if (!shared) {
shared = true;
return String.valueOf(filename);
} else {
throw new IllegalStateException("Failed to get instance");
}
}
final void printFilename() {
System.out.println(String.valueOf(filename));
}
}
|
...
This class can be exploited by a malicious class, shown in the following noncompliant code example, that subclasses the non-final nonfinal SensitiveClass and provides a public clone() method.
| Code Block | ||
|---|---|---|
| ||
class MaliciousSubclass extends SensitiveClass implements Cloneable {
protected MaliciousSubclass(String filename) {
super(filename);
}
@Override public MaliciousSubclass clone() { // Well-behaved clone() method
MaliciousSubclass s = null;
try {
s = (MaliciousSubclass)super.clone();
} catch(Exception e) {
System.out.println("not cloneable");
}
return s;
}
public static void main(String[] args) {
MaliciousSubclass ms1 = new MaliciousSubclass("file.txt");
MaliciousSubclass ms2 = ms1.clone(); // Creates a copy
String s = ms1.get(); // Returns filename
System.out.println(s); // Filename is "file.txt"
ms2.replace(); // Replaces all characters with 'x'
// Both ms1.get() and ms2.get() will subsequently return filename = 'xxxxxxxx'
ms1.printFilename(); // Filename becomes 'xxxxxxxx'
ms2.printFilename(); // Filename becomes 'xxxxxxxx'
}
}
|
The malicious class creates its own instance (ms1) and produces a second one (ms2) by cloning the first. It then obtains a new String filename object by invoking the get() method on the first instance. At this point, the shared flag is set to true. Because the second instance (ms2) does not have its shared flag set to true, it is possible to alter the first instance ms1 using the replace() method. This obviates any security efforts and severely violates the class's invariants.
Compliant Solution (final class)
...
This class fails to prevent malicious subclasses , but does protect the data in SensitiveClass. Its methods are protected by being declared final. For more information on how to handle malicious subclasses, see guideline "OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely."
...
| Wiki Markup |
|---|
\[[Mcgraw 1998|AA. Bibliography#Mcgraw 98]\] Twelve rules for developing more secure Java code \[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 498|http://cwe.mitre.org/data/definitions/498.html] "Information Leak through Class Cloning", [CWE ID 491|http://cwe.mitre.org/data/definitions/491.html] "Public cloneable() Method Without Final (aka 'Object Hijack')" \[[Wheeler 2003|AA. Bibliography#Wheeler 03]\] 10.6. Java |
...
OBJ02-J. Never conflate immutability of a reference with that of the referenced object 04. Object Orientation (OBJ) OBJ04-J. Do not use public static non-final variables