It is common for developers to separate the program logic into different classes or files to encourage modularity and re-usability. Unfortunately, this often imposes maintenance hurdles such as ensuring that the superclass does not change and in turn indirectly affect subclass behavior in undesired ways.
For instance, the introduction of the entrySet
method in the superclass java.util.Hashtable
in JDK 1.2, left the java.security.Provider
class vulnerable to malicious deletion of entries due to absence of security manager checks. \Add Reference
Noncompliant Code Example
This noncompliant example shows a class SuperClass
that stores banking related information but delegates the security manager and input validation tasks to the class SubClass
. The client application has to use SubClass
since it contains authentication mechanisms as well. A new method called overdraft
is added by the maintainer of class SuperClass
and the extending class SubClass
is not aware of this change. This exposes the client application to malicious invocations such as ones using the overdraft
method on the currently in-use object. All security checks are deemed useless in such cases.
class SuperClass { //Main Bank class maintains all data during program execution private double balance=0; protected boolean withdraw(double amount) { balance -= amount; return true; } protected void overdraft() { //this method was added at a later date balance += 300; //add 300 in case there is an overdraft System.out.println("The balance is :" + balance); } } class SubClass extends SuperClass { //all users has to subclass this to proceed public boolean withdraw(double amount) { // inputValidation(); // securityManagerCheck(); // Login by checking credentials using database and then call a method in SuperClass // that updates the balance field to reflect current balance, other details return true; } public void doLogic(SuperClass sc,double amount) { sc.withdraw(amount); } } public class Affect { public static void main(String[] args) { SuperClass sc = new SubClass(); //override SubClass sub = new SubClass(); //need instance of SubClass to call methods if(sc.withdraw(200.0)) { //validate and enforce security manager check sc = new SuperClass(); //if allowed perform the withdrawal sub.doLogic(sc, 200.0); //pass the instance of SuperClass to use it } else System.out.println("You do not have permission/input validation failed!"); sc.overdraft(); //newly added method, has no security manager checks. Beware! } }
Compliant Solution
Always keep the following postulates in mind:
- Understand what the superclass does and watch out for mutating functionality
- Make sure that new methods that are added to the superclass are overridden appropriately if there is some division of logic
- Never modularize in absurd ways as is apparent in the noncompliant code example
Risk Assessment
TODO
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
OBJ01-J |
?? |
?? |
?? |
P?? |
L?? |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Sun Secure Coding Guideline 1-3 Understand how a superclass can affect subclass behavior