Application code that calls security-sensitive methods must validate the arguments being passed to the methods. In particular, null
values may be interpreted as benign by certain security-sensitive methods and but may override default settings. Although security-sensitive methods must should be coded defensively in the first place, sometimes the onus must be on the client code to must validate the arguments it providesarguments that the method might otherwise accept as valid. Failure to do so can result in privilege escalation and execution of arbitrary code.
Noncompliant Code Example
This noncompliant code example shows the two-argument doPrivileged()
method which that takes an access control context as the second argument. The construct allows changing privileges to that of This code restores privileges from a previously saved context.
Code Block | ||||
---|---|---|---|---|
| ||||
AccessController.doPrivileged( new PrivilegedAction<Void>() { public Void run() { // ... } }, accessControlContext); |
When passed a null access control context, the two-argument doPrivileged()
method will fail fails to reduce the current privileges to those of the previously saved context. Consequently, this code may can grant excess privileges when the accessControlContext
argument is null. Programmers Programmer who intend to call call AccessController.doPrivileged()
with a null access control context should explicitly pass the null
constant or use the one-argument version of AccessController.doPrivileged()
.
Compliant Solution
This compliant solution prevents granting of excess privileges by ensuring that accessControlContext
is non-null.:
Code Block | ||||
---|---|---|---|---|
| ||||
if (accessControlContext == null) { throw new SecurityException("Missing AccessControlContext"); } AccessController.doPrivileged( new PrivilegedAction<Void>() { public Void run() { // ... } }, accessControlContext); |
Applicability
Security-sensitive methods must be thoroughly understood and their parameters validated (to prevent null arguments for instance) in order to prevent corner cases with unexpected argument values (such as null arguments). If unexpected argument values are passed to security-sensitive methods, arbitrary code execution becomes possible, and privilege escalation becomes likely.
Bibliography
...
...