Non-final classes containing Nonfinal member methods that perform security checks can be compromised if when a malicious subclass overrides the method methods and omits the checks. For this reason, it is recommended that the methods be prohibited from being extended by declaring them Consequently, such methods must be declared private or final to prevent overriding.
Noncompliant Code Example
This noncompliant code example allows a subclass to override the readSensitiveFile()
method and omit the required security check.:
Code Block | ||
---|---|---|
| ||
public void readSensitiveFile() { try { SecurityManager sm = System.getSecurityManager(); if (sm != null) { //check ifCheck filefor canpermission beto read file sm.checkRead("/temp/tempFile"); } // Access the file } catch (SecurityException se) { /*/ logLog exception */ } } |
Compliant Solution
This compliant solution prohibits inheritance prevents overriding of the readSensitiveFile()
method by declaring it final.:
Code Block | ||
---|---|---|
| ||
public final void readSensitiveFile() { try { SecurityManager sm = System.getSecurityManager(); if (sm != null) { //check ifCheck filefor canpermission beto read file sm.checkRead("/temp/tempFile"); } // Access the file } catch (SecurityException se) { //* logLog exception */ } } |
Compliant Solution
This compliant solution prohibits inheritance prevents overriding of the readSensitiveFile()
method by declaring it private.:
Code Block | ||
---|---|---|
| ||
private void readSensitiveFile() { try { SecurityManager sm = System.getSecurityManager(); if (sm != null) { //check ifCheck filefor canpermission beto read file sm.checkRead("/temp/tempFile"); } // Access the file } catch (SecurityException se) { /*/ logLog exception */ } } |
Exceptions
EX1MET03-J-EX0: Classes that are declared final are exempt from this guideline as they imply that the contained rule because their member methods cannot be overridden.
Risk Assessment
Failing Failure to declare a non-final class's method private or final can allow a affords the opportunity for a malicious subclass to omit bypass the security checks defined performed in the methodsmethod.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MET06MET03-J | medium Medium | probable Probable | medium Medium | P8 | L2 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[Ware 08|AA. Java References#Ware 08]\] |
Android Implementation Details
On Android, System.getSecurityManager()
is not used, and the use of a security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.
Bibliography
IH.2.b.b. Declare methods that enforce |
...
MET05-J. Validate method parameters 10. Methods (MET) MET30-J. Follow the general contract while overriding the equals method