SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 79

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: minor, minor edits

...

Unfortunately, throwing an exception from the constructor of a non-final class is insecure because it allows a finalizer attack. (See guideline "OBJ05-J. Do not allow access to partially initialized objects".)

Compliant Solution (final)

This compliant solution prevents creation of malicious subclasses by declaring the immutable BigInteger class to be final. Although this solution would be appropriate for locally maintained code, it cannot be used in the case of java.math.BigInteger because it would require changing the Java SE API, which has already been published and must remain compatible with previous versions.

...

Code in privileged blocks should be as simple as possible, both to improve reliability and also to ease security audits. Invocation of overridable methods permits modification of the code that is executed in the privileged context without modification of previously-audited classes. Furthermore, calling overridable methods disperses the code over multiple classes, complicating determination of which specific making it harder to determine which code must be audited. Malicious subclasses cannot directly exploit this issue because privileges are dropped as soon as unprivileged code is executed. Nevertheless, maintainers of the subclasses might unintentionally violate the requirements of the base class. For example, even when the base class's overridable method is thread-safe, a subclass might provide an implementation that lacks this property, leading to security vulnerabilities.

...

A subclass can override getMethodName() to return a string other than someMethod. If an object of such a subclass runs invokeMethod(), control flow will divert to some mothod other than someMethod.

Compliant Solution (final)

This compliant solution declares the getMethodName() method final so that it cannot be overridden.

...

Alternative approaches that prevent overriding of the getMethodName() method include declaring it as private or declaring the enclosing class as final.

Compliant Solution (

...

Disallow polymorphism)

This compliant solution specifically invokes the correct getMethodName(), preventing diversion of control flow.

...