...
This noncompliant code example contains a TOCTOU vulnerability. Because cookie is a mutable input, an attacker can cause it to expire between the initial check (the hasExpired() call) and the actual use (the doLogic() call).
...
This compliant solution avoids the TOCTOU vulnerability by copying the mutable input and performing all operations on the copy. Consequently, an attacker's changes to the mutable input cannot affect the copy. Acceptable techniques include using a copy constructor or implementing the java.lang.Cloneable interface and declaring a public public clone() method (for classes not declared final). In cases such as HttpCookie where the mutable class is declared final—that is, it cannot provide an accessible copy method — perform method—perform a manual copy of the object state within the caller (see OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code for more information). Note that any input validation must be performed on the copy rather than on the original object.
...
Failing to create a copy of a mutable input may result in a TOCTOU vulnerability or expose internal mutable components to untrusted code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ06-J | Medium | Probable | High | P4 | L3 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Parasoft Jtest |
| CERT.OBJ06.CPCL CERT.OBJ06..MPT CERT.OBJ06.SMO CERT.OBJ06.MUCOP | Enforce returning a defensive copy in 'clone()' methods Do not pass user-given mutable objects directly to certain types Do not store user-given mutable objects directly into variables Provide mutable classes with copy functionality | ||||||
| SonarQube |
| S2384 | Mutable members should not be stored or returned directly Implemented for Arrays, Collections and Dates. |
Related Vulnerabilities
CVE-2012-0507 describes an exploit that managed to bypass Java's applet security sandbox and run malicious code on a remote user's machine. The exploit created a data structure that is normally impossible to create in Java but was built using deserialization, and the deserialization process did not perform defensive copies of the deserialized data. See the code examples in SER07-J. Do not use the default serialized form for classes with implementation-defined invariants for more information.
Related Guidelines
Guideline 6-2 / MUTABLE-2 |
: Create copies of mutable |
output values |
Bibliography
Item 39, "Make Defensive Copies When Needed" | |
"Returning References to Internal Mutable State" |
...
...