You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

It is possible to access fields and methods of another object from a given object. Language access checks are enforced by the JVM to ensure policy compliance, while doing so. For instance, although an object is not normally allowed to access private members or invoke methods of another class, the APIs belonging to the java.lang.reflect package allow an object to do so contingent upon performing the mirrored language access checks.

Noncompliant Code Example

In this noncompliant code snippet, the private field i of class C can be accessed from class ReflectionExample. Method makeAccessible accepts fieldName as input which can be supplied by untrusted code. This is dangerous because despite the untrusted code not having the same capabilities as that of the immediate caller, it is allowed to carry out sensitive operations.

import java.lang.reflect.Field;

public class ReflectionExample {

  public static void makeAccessible(String fieldName) {
    C c = new C();
    try {
	Field f = c.getClass().getDeclaredField(fieldName);
	System.out.println(f.isAccessible());
	f.setAccessible(true);
	System.out.println(f.isAccessible());
	System.out.println(f.getInt(c));
    }
    catch(NoSuchFieldException nsfa){}
    catch(IllegalAccessException iae) {}
  }
}

class C {
  private int i = 10;
}

Compliant Solution

Avoid invoking affected APIs on Class, Constructor, Field or Method instances passed in from untrusted code. Even when the instances are acquired safely, do not use tainted inputs provided by untrusted code. Likewise, do not return values to the untrusted caller. The table below lists the APIs that should be used with care.

APIs that mirror language checks

java.lang.Class.newInstance

java.lang.reflect.Constructor.newInstance

java.lang.reflect.Field.get*

java.lang.reflect.Field.set*

java.lang.reflect.Method.invoke

java.util.concurrent.atomic.AtomicIntegerFieldUpdater.newUpdater

java.util.concurrent.atomic.AtomicLongFieldUpdater.newUpdater

java.util.concurrent.atomic.AtomicReferenceFieldUpdater.newUpdater

Risk Assessment

Performing access checks against the immediate caller, instead of against each caller in the execution sequence, may seriously compromise the security of a java application.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC04-J

medium

probable

high

P4

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Chan 99]] java.lang.reflect AccessibleObject
[[SCG 07]] Guideline 6-4 Be aware of standard APIs that perform Java language access checks against the immediate caller


SEC03-J. Beware of standard APIs that may use the immediate caller's class loader instance      00. Security (SEC)      SEC06-J. Assume that all Java clients can be reverse engineered, monitored, and modified

  • No labels