According to the Java Language Specification [[JLS 05]], section 12.5 "Creation of New Class Instances":
Unlike C++, the Java programming language does not specify altered rules for method dispatch during the creation of a new class instance. If methods are invoked that are overridden in subclasses in the object being initialized, then these overriding methods are used, even before the new object is completely initialized.
This means that a method may use uninitialized data and cause runtime exceptions or lead to unanticipated outcomes. Calling overridable methods from constructors can also result in the escaping of the this reference before construction has concluded (see TSM01-J. Do not let the (this) reference escape during object construction).
Noncompliant Code Example
This noncompliant code example invokes the doLogic() method from the class constructor. The superclass's doLogic() method gets invoked on the first call, however, the overriding method is invoked on the second one. In the second call, the issue is that the constructor for SubClass initiates the super class's constructor which undesirably ends up calling SubClass's doLogic() method. The value of color is left as null because the initialization of the class SubClass has not yet concluded.
class BaseClass {
public BaseClass() {
doLogic();
}
public void doLogic() {
System.out.println("This is super-class!");
}
}
class SubClass extends BaseClass {
private String color = null;
public SubClass() {
super();
color = "Red";
}
public void doLogic() {
// Color becomes null
System.out.println("This is sub-class! The color is :" + color);
// ...
}
}
public class Overridable {
public static void main(String[] args) {
BaseClass bc = new BaseClass(); // Prints "This is super-class!"
BaseClass sc = new SubClass(); // Prints "This is sub-class! The color is :null"
}
}
Compliant Solution
This compliant solution declares the doLogic() method as final so that it is no longer overridable.
class BaseClass {
public BaseClass() {
doLogic();
}
public final void doLogic() {
System.out.println("This is super-class!");
}
}
In addition to constructors, do not call overridable methods from the clone(), readObject() and readObjectNoData() methods as it would allow attackers to obtain partially initialized instances of classes (see MET07-J. Do not invoke overridable methods on the clone under construction and SER11-J. Do not invoke overridable methods from the readObject method). It is also insecure to call an overridden method from the finalize() method. This can prolong the subclass' life and in fact, render the finalization call useless (See the example in OBJ08-J. Avoid using finalizers). Additionally, if the subclass's finalizer has terminated key resources, invoking its methods from the superclass may lead one to observe the object in an inconsistent state and in the worst case result in a NullPointerException.
Risk Assessment
Allowing a constructor to call overridable methods may give an attacker access to the this reference before an object is fully initialized which, in turn, could lead to a vulnerability.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MET04- J |
medium |
probable |
medium |
P8 |
L2 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[JLS 05]] Chapter 8, Classes
, 12.5 "Creation of New Class Instances"
[[SCG 07]] Guideline 4-3 Prevent constructors from calling methods that can be overridden
[[ESA 05]] Rule 62: Do not call non-final methods from within a constructor.
12. Methods (MET) MET05-J. Do not subject overloaded methods to polymorphic invocations