SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Application code that calls security-sensitive methods must validate the arguments being passed to the methods. In particular, null values may be interpreted as benign by certain security-sensitive methods and but may override default settings. Although security-sensitive methods must should be coded defensively in the first place, sometimes the onus must be on the client code to must validate the arguments it providesarguments that the method might otherwise accept as valid. Failure to do so can result in privilege escalation and execution of arbitrary code.

Noncompliant Code Example

This noncompliant code example shows the two-argument doPrivileged() method which that takes an access control context as the second argument. The construct allows changing privileges to that of This code restores privileges from a previously saved context.

Code Block
bgColor#ffcccc
langjava
AccessController.doPrivileged(
  new PrivilegedAction<Void>() {
    public Void run() {
      // ...
    }
  }, accessControlContext);

A When passed a null access control context means that the privileges would not be reduced , the two-argument doPrivileged() method fails to reduce the current privileges to those of the previously saved context. Consequently, this code may can grant excess privileges if when the accessControlContext argument is null. If Programmer who intend to call AccessController.doPrivileged() is intended to be called with  with a null access control context , it should be explicitly passed pass the null constant or use the one-argument version of AccessController.doPrivileged().

Compliant Solution 

This compliant solution prevents granting of excess privileges from being granted by ensuring that accessControlContext is not non-null.:

Code Block
bgColor#ccccff
langjava
if (accessControlContext == null) {
  throw new SecurityException("Missing AccessControlContext");
}
AccessController.doPrivileged(
  new PrivilegedAction<Void>() {
    public Void run() {
      // ...
    }
  }, accessControlContext);

Noncompliant Code Example

This noncompliant code example ...

Code Block
bgColor#ffcccc
langjava
 System.setSecurityManager(null);

Compliant Solution 

This compliant solution ...

Code Block
bgColor#ccccff
langjava
System.setSecurityManager(new SecurityManager());

Applicability

Bibliography

Applicability

Security-sensitive methods must be thoroughly understood and their parameters validated to prevent corner cases with unexpected argument values (such as null arguments). If unexpected argument values are passed to security-sensitive methods, arbitrary code execution becomes possible, and privilege escalation becomes likely.

Bibliography

[API 2013

[TODO]https://www.cigital.com/justice-league-blog/2009/08/14/proper-use-of-javas-securerandom/

[API 2011]

AccessController.doPrivileged(), System.setSecurityManager()

 

...

Image Modified Image Modified  Image Modified