Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Non-final classes containing Nonfinal member methods that perform security checks can be compromised if when a malicious subclass overrides the method methods and omits the checks. For this reason, it is recommended that the methods be prohibited from being extended by declaring them Consequently, such methods must be declared private or final to prevent overriding.

Noncompliant Code Example

This noncompliant code example allows a subclass to override the readSensitiveFile() method and omit the required security check.:

Code Block
bgColor#FFcccc

public void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check iffor filepermission canto beread readfile
      sm.checkRead("/temp/tempFile");
    } 
    // Access the file
  } catch (SecurityException se) { 
    // Log exception  
  }
}

Compliant Solution

This compliant solution prohibits inheritance prevents overriding of the readSensitiveFile() method by declaring it final.:

Code Block
bgColor#ccccff

public final void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // checkCheck iffor filepermission canto beread readfile
      sm.checkRead("/temp/tempFile");
    } 
    // Access the file
  } catch (SecurityException se) { 
    // Log exception 
  }
}

Compliant Solution

This compliant solution prohibits inheritance prevents overriding of the readSensitiveFile() method by declaring it private.:

Code Block
bgColor#ccccff

private void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // checkCheck iffor filepermission canto beread readfile
      sm.checkRead("/temp/tempFile");
    } 
    // Access the file
  } catch (SecurityException se) { 
    // Log exception 
  }
}

Exceptions

EX1MET03-J-EX0: Classes that are declared final are exempt from this guideline as they imply that the contained rule because their member methods cannot be overridden.

Risk Assessment

Failing Failure to declare a non-final class's method private or final can allow a affords the opportunity for a malicious subclass to omit bypass the security checks defined performed in the methodsmethod.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MET03-J

medium Medium

probable Probable

medium Medium

P8

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Ware 08|AA. Java References#Ware 08]\]

Android Implementation Details

On Android, System.getSecurityManager() is not used, and the use of a security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.

Bibliography

[Ware 2008]

IH.2.b.b. Declare methods that enforce SecurityManager checks final—especially in non-final classes

 

...

Image Added Image Added Image AddedMET02-J. Validate method parameters      12. Methods (MET)      MET04-J. Ensure that constructors do not call overridable methods