...
| Code Block | ||
|---|---|---|
| ||
public final class NativeMethodWrapper {
// private native method
private native void nativeOperation(byte[] data, int offset, int len);
// wrapper method performs SecurityManager and input validation checks
public void doOperation(byte[] data, int offset, int len) {
// permission needed to invoke native method
securityManagerCheck();
if (data == null) {
throw new NullPointerException();
}
// copy mutable input
data = data.clone();
// validate input
if ((offset < 0) || (len < 0) || (offset > (data.length - len))) {
throw new IllegalArgumentException();
}
nativeOperation(data, offset, len);
}
static {
System.loadLibrary("NativeMethodLib"); //load native library in static initializer of class
}
}
|
Risk Assessment
Allowing Failure to define wrappers around native methods to be called directly by untrusted code may seriously compromise the security of a Java applicationcan allow unprivileged callers to invoke them and exploit inherent vulnerabilities such as those resulting from invalid input validation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC33-J | medium | probable | high | P4 | L3 |
...