SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

When security Security checks are based on untrusted sources , those sources could be compromised in such a way that the security check could be can be bypassed. The Any untrusted object or parameter should argument must be defensively copied before the a security check is carried outperformed. The copy operation must be a deep copy; the implementation of the clone() method may produce a shallow copy, which could can still be compromised. FurtherIn addition, the implementation of the clone() method may can be provided by the attacker . See guidelines MET08(see OBJ06-J. Do not use the clone method to copy untrusted method parameters and FIO00-J. Defensively copy mutable inputs and mutable internal components for more information).

Noncompliant Code Example

This noncompliant code example describes a security vulnerability from JDK the Java 1.5 java.0 software. At the timeio package. In this release, java.io.File was non-final is nonfinal, allowing an attacker to supply an untrusted value as a parameter which was argument constructed by extending the legitimate java.io.File class. In this waymanner, the getPath() method could can be overridden so that the security check passes the first time it is called but the value mutates changes the second time to refer to a sensitive file such as /etc/passwd. This is an example of a time-of-check-, time-of-use (TOCTOU) vulnerability.

Code Block
bgColor#FFcccc

public RandomAccessFile openFile(final java.io.File f) {
  askUserPermission(f.getPath());
  // ...
  return (RandomAccessFile)AccessController.doPrivileged(new PrivilegedAction <Object>() {
    public Object run() {
      return new RandomAccessFile(f, f.getPath());
    }
  });
}

The attacker can could extend java.io.File as follows:

Code Block

public class BadFile extends java.io.File {
  private int count;
  public String getPath() {
    return (++count == 1) ? "/tmp/foo" : "/etc/passwd";
  }
}

Compliant Solution

...

(Final)

This vulnerability can be mitigated by declaring java.io.File final.

Compliant Solution (Copy)

Security checks should not be based on untrusted sources. This compliant solution ensures that the java.io.File object can be trusted , because:

...

despite not being final. The solution creates a new File object using the standard

...

constructor. This technique ensures that any methods

...

invoked on the File object are the standard library methods

...

and not overriding methods

...

that have been provided by the attacker.

Note that using the clone() method instead of the openFile() method would copy the attacker's class, which is not desirable. (Refer to guideline MET08-J. Do not use the clone method to copy untrusted method parameters.)

Code Block
bgColor#ccccff

public RandomAccessFile openFile(java.io.File f) {
  final java.io.File copy = new java.io.File(f.getPath());
  askUserPermission(copy.getPath());
  // ...
  return (RandomAccessFile)AccessController.doPrivileged(new PrivilegedAction <Object>() {
    public Object run() {
      return new RandomAccessFile(copy, copy.getPath());
    }
  });
}

Note that using the clone() method instead of the openFile() method would copy the attacker's class, which is not desirable (see OBJ06-J. Defensively copy mutable inputs and mutable internal components).

Risk Assessment

Basing security checks on untrusted sources can result in the check being bypassed.

Guideline

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC09

SEC02-J

high

High

probable

Probable

medium

Medium

P12

L1

Automated Detection

...

Tool
Version
Checker
Description
Coverity7.5UNSAFE_REFLECTIONImplemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.SEC02.TDRFLProtect against Reflection injection

Related Guidelines

ISO/IEC TR 24772:2010

Authentication Logic Error [XZO]

MITRE CWE

CWE-302, Authentication Bypass by Assumed-Immutable Data
CWE-470, Use of Externally-Controlled Input to Select Classes or Code ("Unsafe Reflection")

Android Implementation Details

The code examples using the java.security package are not applicable to Android, but the principle of the rule is applicable to Android apps.

Bibliography

[Sterbenz 2006]


...

Image Added Image Added Image Added

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[Sterbenz 2006|AA. Bibliography#Sterbenz 06]\] 
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 302|http://cwe.mitre.org/data/definitions/302.html] "Authentication Bypass by Assumed-Immutable Data"

SEC08-J. Protect sensitive operations with security manager checks      02. Platform Security (SEC)      SEC10-J. Define custom security permissions for fine grained security