Objects in general should — and should—and security-critical objects must — be —be maintained in a consistent state even when exceptional conditions arise. Common techniques for maintaining object consistency include
...
This noncompliant code example shows a Dimensions
class that contains three internal attributes, : the length
, width
, and height
of a rectangular box. The getVolumePackage()
method is designed to return the total volume required to hold the box after accounting for packaging material, which adds 2 units to the dimensions of each side. Nonpositive values of the dimensions of the box (exclusive of packaging material) are rejected during input validation. No dimension can be larger than 10. Also, the weight
of the object is passed in as an argument and cannot be more than 20 units.
Consider the case where If the weight
is more than 20 units. This , it causes an IllegalArgumentException
, which is intercepted by the custom error reporter. While Although the logic restores the object's original state in the absence of this exception, the rollback code fails to execute in the event of an exception. Consequently, subsequent invocations of getVolumePackage()
produce incorrect results.
Code Block | ||
---|---|---|
| ||
class Dimensions { private int length; private int width; private int height; static public final int PADDING = 2; static public final int MAX_DIMENSION = 10; public Dimensions(int length, int width, int height) { this.length = length; this.width = width; this.height = height; } protected int getVolumePackage(int weight) { length += PADDING; width += PADDING; height += PADDING; try { if (length <= PADDING || width <= PADDING || height <= PADDING || length > MAX_DIMENSION + PADDING || width > MAX_DIMENSION + PADDING || height > MAX_DIMENSION + PADDING || weight <= 0 || weight > 20) { throw new IllegalArgumentException(); } int volume = length * width * height; // 12 * 12 * 12 = 1728 length -= PADDING; width -= PADDING; height -= PADDING; // Revert return volume; } catch (Throwable t) { MyExceptionReporter mer = new MyExceptionReporter(); mer.report(t); // Sanitize return -1; // Non-positive error code } } public static void main(String[] args) { Dimensions d = new Dimensions(108, 108, 108); System.out.println(d.getVolumePackage(21)); // Prints -1 (error) System.out.println(d.getVolumePackage(19)); // Prints 1728 2744(12x12x12) instead of 1000 1728(10x10x10) } } |
The catch
clause is permitted by exception ERR08-J-EX0 in ERR08-J. Do not catch NullPointerException or any of its ancestors because it serves as a general filter passing exceptions to the MyExceptionReporter
class, which is dedicated to safely reporting exceptions as recommended by rule ERR00-J. Do not suppress or ignore checked exceptions. While Although this code only throws IllegalArgumentException
, the catch
clause is general enough to handle any exception in case the try
block should be modified to throw other exceptions.
...
This compliant solution replaces the catch
block in the getVolumePackage()
method with code that restores prior object state in the event of an exception.:
Code Block | ||
---|---|---|
| ||
// ...
} catch (Throwable t) {
MyExceptionReporter mer = new MyExceptionReporter();
mer.report(t); // Sanitize
length -= PADDING; width -= PADDING; height -= PADDING; // Revert
return -1;
}
|
...
This compliant solution uses a finally
clause to perform rollback, guaranteeing that rollback occurs whether or not an error occurs.:
Code Block | ||
---|---|---|
| ||
protected int getVolumePackage(int weight) { length += PADDING; width += PADDING; height += PADDING; try { if (length <= PADDING || width <= PADDING || height <= PADDING || length > MAX_DIMENSION + PADDING || width > MAX_DIMENSION + PADDING || height > MAX_DIMENSION + PADDING || weight <= 0 || weight > 20) { throw new IllegalArgumentException(); } int volume = length * width * height; // 12 * 12 * 12 = 1728 return volume; } catch (Throwable t) { MyExceptionReporter mer = new MyExceptionReporter(); mer.report(t); // Sanitize return -1; // Non-positive error code } finally { // Revert length -= PADDING; width -= PADDING; height -= PADDING; } } |
...
This compliant solution improves on the previous solution by performing input validation before modifying the state of the object. Note that the try
block contains only those statements that could throw the exception; all others have been moved outside the try
block.
Code Block | ||
---|---|---|
| ||
protected int getVolumePackage(int weight) {
try {
if (length <= 0 || width <= 0 || height <= 0 ||
length > MAX_DIMENSION || width > MAX_DIMENSION || height > MAX_DIMENSION ||
weight <= 0 || weight > 20) {
throw new IllegalArgumentException(); // Validate first
}
} catch (Throwable t) { MyExceptionReporter mer = new MyExceptionReporter();
mer.report(t); // Sanitize
return -1;
}
length += PADDING;
width += PADDING;
height += PADDING;
int volume = length * width * height;
length -= PADDING; width -= PADDING; height -= PADDING;
return volume;
}
|
...
This compliant solution avoids the need to modify the object. The object's state cannot be made inconsistent, and rollback is consequently unnecessary. This approach is preferred to solutions that modify the object but may be infeasible for complex code.
Code Block | ||
---|---|---|
| ||
protected int getVolumePackage(int weight) {
try {
if (length <= 0 || width <= 0 || height <= 0 ||
length > MAX_DIMENSION || width > MAX_DIMENSION ||
height > MAX_DIMENSION || weight <= 0 || weight > 20) {
throw new IllegalArgumentException(); // Validate first
}
} catch (Throwable t) {
MyExceptionReporter mer = new MyExceptionReporter();
mer.report(t); // Sanitize
return -1;
}
int volume = (length + PADDING) * (width + PADDING) *
(height + PADDING);
return volume;
}
|
...
Failure to restore prior object state on method failure can leave the object in an inconsistent state and can violate required state invariants.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ERR03-J |
Low |
Probable |
High | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Parasoft Jtest |
| CERT.ERR03.REVOBJ | Restore prior object state on method failure |
Related Vulnerabilities
CVE-2008-0002 describes a vulnerability in several versions of Apache Tomcat. If an exception occurs during parameter processing, the program can be left in the context of the wrong request, which might allow remote attackers to obtain sensitive information. An exception can be triggered by disconnecting from Tomcat during this processing.
Related Guidelines
Bibliography
Thrown Exception |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a083880e-84e9-418f-a67f-d977b5288b9e"><ac:plain-text-body><![CDATA[
[[Bloch 2008
] | Item 64 |
, "Strive for |
]]></ac:plain-text-body></ac:structured-macro>
Failure Atomicity" |
...
06. Exceptional Behavior (ERR) ERR04-J. Do not exit abruptly from a finally block