Developers often separate program logic across multiple classes or files to modularize code and to increase reusability. When developers modify a superclass (during maintenance, for example), the developer must ensure that changes in superclasses preserve all the program invariants on which the subclasses depend. Failure to maintain all relevant invariants can cause security vulnerabilities.
Noncompliant Code Example
In this code example, a class Account stores banking-related information without any inherent security. Security is delegated to the subclass BankAccount. The client application is required to use BankAccount because it contains the security mechanism.
| Code Block | ||
|---|---|---|
| ||
private class Account {
// Maintains all banking-related data such as account balance
private double balance = 100;
boolean withdraw(double amount) {
if ((balance - amount) >= 0) {
balance -= amount;
System.out.println("Withdrawal successful. The balance is : "
+ balance);
return true;
}
return false;
}
}
public class BankAccount extends Account {
// Subclass handles authentication
@Override boolean withdraw(double amount) {
if (!securityCheck()) {
throw new IllegalAccessException();
}
return super.withdraw(amount);
}
private final boolean securityCheck() {
// Check that account management may proceed
}
}
public class Client {
public static void main(String[] args) {
Account account = new BankAccount();
// Enforce security manager check
boolean result = account.withdraw(200.0);
System.out.println("Withdrawal successful? " + result);
}
}
|
At a later date, the maintainer of the Account class added a new method called overdraft(). However, the BankAccount class maintainer was unaware of the change. Consequently, the client application became vulnerable to malicious invocations. For example, the overdraft() method could be invoked directly on a BankAccount object, avoiding the security checks that should have been present. The following noncompliant code example shows this vulnerability:
| Code Block | ||
|---|---|---|
| ||
private class Account {
// Maintains all banking-related data such as account balance
private double balance = 100;
boolean overdraft() {
balance += 300; // Add 300 in case there is an overdraft
System.out.println("Added back-up amount. The balance is :"
+ balance);
return true;
}
// Other Account methods
}
public class BankAccount extends Account {
// Subclass handles authentication
// NOTE: unchanged from previous version
// NOTE: lacks override of overdraft method
}
public class Client {
public static void main(String[] args) {
Account account = new BankAccount();
// Enforce security manager check
boolean result = account.withdraw(200.0);
if (!result) {
result = account.overdraft();
}
System.out.println("Withdrawal successful? " + result);
}
}
|
...
| Code Block | ||
|---|---|---|
| ||
class BankAccount extends Account {
// ...
@Override boolean overdraft() { // overrideOverride
throw new IllegalAccessException();
}
}
|
...
The java.util.Calendar class provides a compareTo() method and an after() method. The after() method is documented in the Java API Reference [API 20062014] as follows:
The
after()method returns whether thisCalendarrepresents a time after the time represented by the specifiedObject. This method is equivalent to
compareTo(when) > 0
if and only ifwhenis aCalendarinstance. Otherwise, the method returnsfalse.
...
In this case, the two objects are initially compared using the overriding CalendarSubclass.after() method. This , which invokes the superclass's Calendar.after() method to perform the remainder of the comparison. But the Calendar.after() method internally calls the compareTo() method, which delegates to CalendarSubclass.compareTo(). Consequently, CalendarSubclass.after() actually calls CalendarSubclass.compareTo() and returns false.
...
This compliant solution uses a design pattern called Composition and Forwarding (sometimes also called Delegation) [Lieberman 1986], [Gamma 1995, p. 20]. The compliant solution introduces a new forwarder class that contains a private member field of the Calendar type; this is composition rather than inheritance. In this example, the field refers to CalendarImplementation, a concrete instantiable implementation of the abstract Calendar class. The compliant solution also introduces a wrapper class called CompositeCalendar that provides the same overridden methods found in the CalendarSubclass from the preceding noncompliant code example.
...
Modifying a superclass without considering the effect on subclasses can introduce vulnerabilities. Subclasses that are developed without awareness with an incorrect understanding of the superclass implementation can be subject to erratic behavior, resulting in inconsistent data state and mismanaged control flow. Also, if the superclass implementation changes then the subclass may need to be redesigned to take into account these changes.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ02-J | Medium | Probable | High | P4 | L3 |
...
Secure Coding Guidelines for the Java Programming LanguageSE, Version 35.0 | Guideline 1-3. 4-6 / EXTEND-6: Understand how a superclass can affect subclass behavior |
Bibliography
Item 16, "Favor Composition over Inheritance" | |
Design Patterns: Elements of Reusable Object-Oriented Software (p. 20) | |
"Using Prototypical Objects to Implement Shared Behavior in Object-Oriented Systems" |
...