Non-final classes containing Nonfinal member methods that perform security checks can be compromised if when a malicious subclass overrides the methods and omits the checks. For this reasonConsequently, these such methods must be declared private or final to prevent them from being extendedoverriding.
Noncompliant Code Example
This noncompliant code example allows a subclass to override the readSensitiveFile()
method and omit the required security check.:
Code Block | ||
---|---|---|
| ||
public void readSensitiveFile() { try { SecurityManager sm = System.getSecurityManager(); if (sm != null) { // Check iffor filepermission canto beread readfile sm.checkRead("/temp/tempFile"); } // Access the file } catch (SecurityException se) { // Log exception } } |
Compliant Solution
This compliant solution prohibits inheritance prevents overriding of the readSensitiveFile()
method by declaring it final.:
Code Block | ||
---|---|---|
| ||
public final void readSensitiveFile() { try { SecurityManager sm = System.getSecurityManager(); if (sm != null) { // checkCheck iffor filepermission canto beread readfile sm.checkRead("/temp/tempFile"); } // Access the file } catch (SecurityException se) { // Log exception } } |
Compliant Solution
This compliant solution prohibits inheritance prevents overriding of the readSensitiveFile()
method by declaring it private.:
Code Block | ||
---|---|---|
| ||
private void readSensitiveFile() { try { SecurityManager sm = System.getSecurityManager(); if (sm != null) { // Check for permission to read file ...sm.checkRead("/temp/tempFile"); } // Access the file } catch (SecurityException se) { // Log exception } } |
Exceptions
MET03-J-EX1EX0: Classes that are declared final are exempt from this guideline as they imply that the contained rule because their member methods cannot be overridden.
Risk Assessment
Failing Failure to declare a non-final class's method private or final can allow a affords the opportunity for a malicious subclass to omit bypass the security checks defined performed in the methodsmethod.
Guideline Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MET03-J | medium Medium | probable Probable | medium Medium | P8 | L2 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
Wiki Markup |
---|
\[[Ware 2008|AA. Bibliography#Ware 08]\] |
Android Implementation Details
On Android, System.getSecurityManager()
is not used, and the use of a security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.
Bibliography
IH.2.b.b. Declare methods that enforce |
...
MET02-J. Validate method parameters 05. Methods (MET) MET04-J. Ensure that constructors do not call overridable methods