Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

A mutable input has the characteristic that its value may change between different accesses. This opens a window of opportunity for exploiting race conditions. A vary; that is, multiple accesses may see differing values. This characteristic enables potential attacks that exploit race conditions. For example, a time-of-check, time-of-use (TOCTOU) inconsistency results vulnerability may result when a field contains a value that passes the initial validation and security checks but mutates to a different value during actual changes before use.

Additionally, Returning references to an object's state may get corrupted if it returns references to internal mutable components . Accessors must consequently provides an attacker with the opportunity to corrupt the state of the object. Consequently, accessor methods must return defensive copies of internal mutable objects . (See guideline OBJ11see OBJ05-J. Defensively copy Do not return references to private mutable class members before returning their references.) for more information).

Noncompliant Code Example

A TOCTOU inconsistency exists in this This noncompliant code example contains a TOCTOU vulnerability. As Because cookie is a mutable input, an attacker may can cause the cookie it to expire between the initial check (the hasExpired() call) and the actual use (the doLogic() call).

Code Block
bgColor#FFcccc

public final class MutableDemo {
  // java.net.HttpCookie is mutable
  public void useMutableInput(HttpCookie cookie) {
    if (cookie == null) {
       throw new NullPointerException();
    }

    // Check ifwhether cookie has expired
    if (cookie.hasExpired()) {
      // Cookie is no longer valid,; handle condition by throwing an exception
    }

    // Cookie may have expired since time of check 
    doLogic(cookie);
  }
}

Compliant Solution

The problem is alleviated by creating a copy of This compliant solution avoids the TOCTOU vulnerability by copying the mutable input and using it to perform operations so that the original object is left unscathed. This can be realized by performing all operations on the copy. Consequently, an attacker's changes to the mutable input cannot affect the copy. Acceptable techniques include using a copy constructor or implementing the java.lang.Cloneable interface and declaring a public public clone method if the class is final or by using a copy constructor. Performing a manual copy of the object state within the caller becomes necessary if the () method (for classes not declared final). In cases such as HttpCookie where the mutable class is declared final. That final—that is, it cannot provide an accessible copy method. See the guideline OBJ10method—perform a manual copy of the object state within the caller (see OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code safely for more information). Note that any input validation must be performed on the copy and not rather than on the original object.

Code Block
bgColor#ccccff

public final class MutableDemo {
  // java.net.HttpCookie is mutable
  public void useMutableInput(HttpCookie cookie) {
    if (cookie == null) {
      throw new NullPointerException();
    }

    // Create copy
    cookie = (HttpCookie)cookie.clone();

    // Check ifwhether cookie has expired
    if (cookie.hasExpired()) {
      // Cookie is no longer valid,; handle condition by throwing an exception
    }

    doLogic(cookie);
  }
}

Compliant Solution

Sometimes, the copy constructor or the Some copy constructors and clone() method returns methods perform a shallow copy of the original instance. For example, invocation of clone() on an array results in creation of an array instance that shares references to whose elements have the same elements values as the original instance. However, a deep copy that involves element duplication is required when the input consists of mutable componentsThis shallow copy is sufficient for arrays of primitive types but fails to protect against TOCTOU vulnerabilities when the elements are references to mutable objects, such as an array of cookies. This compliant solution exemplifies this condition.Such cases require a deep copy that also duplicates the reference objects.

This compliant solution demonstrates correct use both of a shallow copy (for the array of int) and of a deep copy (for the array of cookies):

Code Block
bgColor#ccccff

  public void deepCopy(int[] ints, HttpCookie[] cookies) {
    if (ints == null || cookies == null) {
      throw new NullPointerException();
    }

    // Shallow copy
    int[] intsCopy = ints.clone();

    // Deep copy
    HttpCookie[] cookiesCopy = new HttpCookie[cookies.length];
    for (int i = 0; i < cookies.length; i++) {
      // Manually create copy of each element in array
      cookiesCopy[i] = (HttpCookie)cookies[i].clone();
    }
 
    doLogic(intsCopy, cookiesCopy);
}

Noncompliant Code Example

When the class of the a mutable input type is non-final, a malicious subclass may maliciously override its clone() method. This is a serious issue unless the non-final input defends against itis nonfinal or is an interface, an attacker can write a subclass that maliciously overrides the parent class's clone() method. The attacker's clone() method can subsequently subvert defensive copying. This noncompliant code example demonstrates this weakness.:

Code Block
bgColor#FFcccc

// java.util.ArrayListCollection is mutable and non-finalan interface
public void copyNonFinalInputcopyInterfaceInput(ArrayListCollection<String> listcollection) {
  doLogic(listcollection.clone());
}

Compliant Solution

To copy mutable inputs having a non-final type, create a new instance of the ArrayList. This This compliant solution protects against potential malicious overriding by creating a new instance of the nonfinal mutable input, using the expected class rather than the class of the potentially malicious argument. The newly created instance can be forwarded to any code capable of modifying it.

Code Block
bgColor#ccccff

// java.util.ArrayList is mutable and non-final
public void copyNonFinalInput(ArrayList list) {
  // Create new instance of declared input type 
  list = new ArrayList(list);
  doLogic(list);
}

Noncompliant Code Example

This noncompliant code example uses the Collection interface as an input parameter and directly passes it to doLogic().

Code Block
bgColor#FFcccc

// java.util.Collection is an interface
public void copyInterfaceInput(Collection<String> collection) {
  doLogic(collection);
}

Compliant Solution

This compliant solution instantiates a new ArrayList and forwards it to the doLogic() method.

Code Block
bgColor#ccccff

public void copyInterfaceInput(Collection<String> collection) {
  // Convert input to trusted implementation
  collection = new ArrayList(collection);
  doLogic(collection);
}

Some objects appear to be immutable because they have no mutator methods. For example, the java.lang.CharacterSequenceCharSequence interface describes an immutable sequence of characters. It should be noted that if the underlying implementation on which the CharacterSequence is based changes, the value of the CharacterSequence also changesNote, however, that a variable of type CharSequence is a reference to an underlying object of some other class that implements the CharSequence interface; that other class may be mutable. When the underlying object changes, the CharSequence changes. Essentially, the java.lang.CharSequence interface omits methods that would permit object mutation through that interface but lacks any guarantee of true immutability. Such objects must still be defensively copied before use. It is also permissible to use . For the case of the java.lang.CharSequence interface, one permissible approach is to obtain an immutable copy of the characters by using the toString() method to make them immutable before passing them as parameters. Mutable fields should not be stored in static variables. When there is no other alternative, create defensive copies of the fields to avoid exposing them to untrusted code.

Risk Assessment

Failing to create a copy of a mutable input may enable an attacker to exploit a TOCTOU vulnerability and at other times, result in a TOCTOU vulnerability or expose internal mutable components to untrusted code.

Guideline

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO00

OBJ06-J

medium

Medium

probable

Probable

high

High

P4

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[SCG 2007|AA. Java References#SCG 07]\] Guideline 2-1 Create a copy of mutable inputs and outputs
\[[Bloch 2008|AA. Java References#Bloch 08]\] Item 39: Make defensive copies when needed
\[[Pugh 2009|AA. Java References#Pugh 09]\] Returning references to internal mutable state

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ06.CPCL
CERT.OBJ06..MPT
CERT.OBJ06.SMO
CERT.OBJ06.MUCOP
Enforce returning a defensive copy in 'clone()' methods
Do not pass user-given mutable objects directly to certain types
Do not store user-given mutable objects directly into variables
Provide mutable classes with copy functionality
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2384

Mutable members should not be stored or returned directly

Implemented for Arrays, Collections and Dates.

Related Vulnerabilities

CVE-2012-0507 describes an exploit that managed to bypass Java's applet security sandbox and run malicious code on a remote user's machine. The exploit created a data structure that is normally impossible to create in Java but was built using deserialization, and the deserialization process did not perform defensive copies of the deserialized data. See the code examples in SER07-J. Do not use the default serialized form for classes with implementation-defined invariants for more information.

Related Guidelines

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 6-2 / MUTABLE-2: Create copies of mutable output values

Bibliography

[Bloch 2008]

Item 39, "Make Defensive Copies When Needed"

[Pugh 2009]

"Returning References to Internal Mutable State"


...

Image Added Image Added Image Added09. Input Output (FIO)      09. Input Output (FIO)      FIO01-J. Do not expose buffers created using the wrap() or duplicate() methods to untrusted code