SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 142

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

...

This approach is useful when the instance fields are declared final. Callers request a copy by invoking the copy constructor with an existing MutableClass instance as its argument.

...

This approach is useful when the instance fields are declared final.

Compliant Solution (clone())

...

When a mutable class's instance fields are declared final and lack accessible copy methods, provide a clone() method, as shown in this compliant solution:

...

Mutable classes that define a clone() method must be declared final.

Compliant Solution (Unmodifiable Date Wrapper)

If cloning or copying a mutable object is infeasible or expensive, one alternative is to create an unmodifiable immutable view class. This class overrides mutable methods to throw an exception, protecting the mutable class.

Code Block
bgColor#ccccff
class UnmodifiableDateView extends Date {
  private Date date;

  public UnmodifiableDateView(Date date) {
    this.date = date;
  }

  public void setTime(long date) {
    throw new UnsupportedOperationException();
  }

  // Override all other mutator methods to throw UnsupportedOperationException
}

public final class MutableClass {
  private Date date;

  public MutableClass(Date d) {
    this.date = d;
  }

  public void setDate(Date d) {
    this.date = (Date) d.clone();
  }

  public UnmodifiableDateView getDate() {
    return new UnmodifiableDateView(date);
  }
}

Exceptions

OBJ04-J-EX0: Sensitive classes should not be cloneable, per OBJ07-J. Sensitive classes must not let themselves be copied.

...

Creating a mutable class without providing copy functionality can result in the data of its instance becoming corrupted when the instance is passed to untrusted code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

OBJ04-J

Low

Likely

Medium

P6

L2

Automated Detection

Sound automated detection is infeasible in the general case. Heuristic approaches could be useful.

Tool
Version
Checker
Description
CodeSonar4.2

FB.MALICIOUS_CODE.EI_EXPOSE_REP

FB.MALICIOUS_CODE.EI_EXPOSE_REP2

May expose internal representation by returning reference to mutable object

May expose internal representation by incorporating reference to mutable object

Coverity7.5

FB.EI_EXPOSE_REP2
FB.EI_EXPOSE_REP

Implemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ04.CLONE
CERT.OBJ04.CPCL
CERT.OBJ04.MPT
CERT.OBJ04.SMO
CERT.OBJ04.MUCOP		Make your 'clone()' method "final" for security
Enforce returning a defensive copy in 'clone()' methods
Do not pass user-given mutable objects directly to certain types
Do not store user-given mutable objects directly into variables
Provide mutable classes with copy functionality

Related Guidelines

MITRE CWE

CWE-374, Passing Mutable Objects to an Untrusted Method
CWE-375, Returning a Mutable Object to an Untrusted Caller

Secure Coding Guidelines for

the

Java

Programming Language

SE, Version

3

5.0

Guideline

2-3.

6-4 / MUTABLE-4: Support copy functionality for a mutable class

Bibliography

[API

2006

2014]

Method clone()

[Bloch 2008]

Item 39, "Make Defensive Copies When Needed"
Item 11, "Override Clone Judiciously"

[Security 2006]
 

...



...

Image Modified Image Modified Image Modified