...
Code Block | ||
---|---|---|
| ||
public class SensitiveClass extends Number { // ..implement abstract methods, such as Number.doubleValue()â�€¦â��‚�¦ private static final SensitiveClass INSTANCE = new SensitiveClass(); public static SensitiveClass getInstance() { return INSTANCE; } private SensitiveClass() { // Perform security checks and parameter validation } protected int getBalance() { int balance = 1000; return balance; } } class Malicious { public static void main(String[] args) { SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.getInstance()); // Prints false; indicates new instance System.out.println(sc == SensitiveClass.getInstance()); System.out.println("Balance = " + sc.getBalance()); } // This method should not be used in production code static public Object deepCopy(Object obj) { try { ByteArrayOutputStream bos = new ByteArrayOutputStream(); new ObjectOutputStream(bos).writeObject(obj); ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray()); return new ObjectInputStream(bin).readObject(); } catch (Exception e) { throw new IllegalArgumentException(e); } } } |
...