SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 37

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When a custom class loader needs to must override the getPermissions() method, the implementation should must consult the default system policy by explicitly invoking the superclass's getPermissions() method before assigning arbitrary permissions to the code source. A custom class loader that ignores the superclass's getPermissions() could load untrusted classes with elevated privileges. ClassLoader is abstract and must not be directly subclassed. 

Noncompliant Code Example

This noncompliant code example shows a fragment of a custom class loader that extends the class URLClassLoader. It overrides the getPermissions() method and but does not call the its superclass's more restrictive getPermissions() method. Note that URLClassLoader's getPermissions() method calls the Policy class's getPermissions() method which, by default, uses the global system-wide policy file to enforce access control. Consequently, a class defined using this custom class loader has permissions that are completely independent of those specified in the system-wide systemwide policy file; in . In effect, the class's permissions override them.

Code Block
bgColor#FFcccc

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = new Permissions();
  // Allow exit from the VM anytime
  pc.add(new RuntimePermission("exitVM"));   //allow exit from the VM anytime
  return pc;
}

Compliant Solution

In this compliant solution, the overridden getPermissions() method calls super.getPermissions(). ConsequentlyAs a result, the default system-wide systemwide security policy is applied , in addition to the custom policy.

Code Block
bgColor#ccccff

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  // Allow exit from the VM anytime
  pc.add(new RuntimePermission("exitVM"));
  return pc;
}

Risk Assessment

Failure to consult the default system policy while defining a custom classloader class loader violates the tenets of defensive programming and can result in classes defined with unintended permissions.

Guideline Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC11SEC07-J

high High

probable Probable

low Low

P18

L1

Automated Detection

This Violations of this rule can be addressed discovered with a heuristic checker in the style of FindBugs. As with all heuristic checks, achieving a low false-positive rate is essential.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] [Class ClassLoader|http://java.sun.com/javase/6/docs/api/java/lang/ClassLoader.html]
\[[Oaks 2001|AA. Bibliography#Oaks 01]\]
\[[Security 2006|AA. Bibliography#Security 06]\]

Android Implementation Details

The java.security package exists on Android for compatibility purposes only, and it should not be used.

Bibliography

[API 2014]

Class ClassLoader

[Oaks 2001]

 

[Security 2006]

 

 

...

Image Added Image Added Image AddedSEC09-J. Do not base security checks on untrusted sources      14. Platform Security (SEC)      SEC12-J. Do not grant untrusted code access to classes in inaccessible packages