Developers often separate program logic across multiple classes or files to modularize code and to increase re-usability. When developers modify a superclass (during maintenance, for example), the developer must ensure that changes in superclasses preserve all of the program invariants on which the subclasses depend. Failure to maintain all relevant invariants can cause security vulnerabilities.
The introduction of the entrySet()
method in the superclass java.util.Hashtable
in JDK 1.2 left the java.security.Provider
class vulnerable to a security attack. The class java.security.Provider
extends java.util.Properties
, which, in turn, extends java.util.Hashtable
. The Provider
maps a cryptographic algorithm name (for example, RSA) to a class that provides its implementation.
The class Provider
inherits the put()
and remove()
methods from Hashtable
and adds security manager checks to each. These checks ensure that malicious code cannot add or remove the mappings. When entrySet()
was introduced, it became possible for untrusted code to remove the mappings from the Hashtable
because java.security.Provider
did not override this method to provide the necessary security manager check [[SCG 2007]]. This problem is commonly know as a "fragile class hierarchy" in other object-oriented languages such as C++.
Noncompliant Code Example
This noncompliant code example shows a class SuperClass
that stores banking-related information and delegates the security manager and input validation tasks to the class SubClass
. The client application is required to use SubClass
because it contains the authentication mechanisms.
class SuperClass { // SuperClass maintains all banking related data such as account balance private double balance = 100; boolean withdraw(double amount) { if ((balance - amount) >= 0) { balance -= amount; System.out.println("Withdrawal successful. The balance is : " + balance); return true; } return false; } void overdraft() { // This method is added at a later date balance += 300; // Add 300 in case there is an overdraft System.out.println("Added back-up amount. The balance is :" + balance); } } class SubClass extends SuperClass { // Subclass handles authentication @Override boolean withdraw(double amount) { // inputValidation(), securityManagerCheck() and authenticateUser() return super.withdraw(amount); } public static void doLogic(SuperClass sc, double amount) { if (!sc.withdraw(amount)) { throw new IllegalStateException(); } // ... } }
At a later date, the maintainer of the class SuperClass
added a new method called overdraft
; the extending class SubClass
, however, was not aware of this change. The client application consequently became vulnerable to malicious invocations. For example, the overdraft
method could be invoked directly on the currently in-use SubClass
object, avoiding the security checks that should have been present. The following demonstrates this vulnerability.
public class Client { public static void main(String[] args) { SuperClass sc = new SubClass(); // Override if(sc.withdraw(200.0)) { // Validate and enforce security manager check SubClass.doLogic(sc, 200.0); // Withdraw 200.0 from superclass } else { sc.overdraft(); // Newly added method, lacks security manager checks } } }
Compliant Solution
In this compliant solution, class SubClass
provides an overriding version of the overdraft()
method that throws an exception, thus preventing misuse of the overdraft feature. All other aspects of the compliant solution remain unchanged.
class SubClass extends SuperClass { // ... @Override void overdraft() { // override throw new IllegalAccessException(); } }
Alternatively, when the intended design permits the new method in the parent class to be invoked directly from a subclass without overriding, install a security manager check directly in the new method.
Noncompliant Code Example
This noncompliant code example overrides the methods after()
and compareTo()
of the class java.util.Calendar
. The Calendar.after()
method returns a boolean
value that indicates whether the Calendar
represents a time after that represented by the specified Object
parameter. The programmer wishes to extend this functionality so that the after()
method returns true
even when the two objects represent the same date. She also overrides the method compareTo()
to provide a "comparisons by day" option to clients. For example, comparing today's day with the first day of week (which differs from country to country) to check whether it is a weekday.
class CalendarSubclass extends Calendar { @Override public boolean after(Object when) { // correctly calls Calendar.compareTo() if(when instanceof Calendar && super.compareTo((Calendar)when) == 0) { // Note the == operator return true; } return super.after(when); // Calls CalendarSubclass.compareTo() instead of Calendar.compareTo() } @Override public int compareTo(Calendar anotherCalendar) { // This method is erroneously invoked by Calendar.after() return compareDays(this.getFirstDayOfWeek(), anotherCalendar.getFirstDayOfWeek()); } private int compareDays(int currentFirstDayOfWeek, int anotherFirstDayOfWeek) { return (currentFirstDayOfWeek > anotherFirstDayOfWeek) ? 1 : (currentFirstDayOfWeek == anotherFirstDayOfWeek) ? 0 : -1; } public static void main(String[] args) { CalendarSubclass cs1 = new CalendarSubclass(); CalendarSubclass cs2 = new CalendarSubclass(); // Wed Dec 31 19:00:00 EST 1969 cs1.setTime(new Date()); // Current day's date System.out.println(cs1.after(cs2)); // prints false } // Implementation of other abstract methods } // The implementation of java.util.Calendar.after() method is shown below public boolean after(Object when) { return when instanceof Calendar && compareTo((Calendar)when) > 0; // Note the > operator // forwards to the subclass's implementation erroneously }
Such errors generally occur because the developer has depended on assumptions about the implementation specific details of the superclass. Even when these assumptions are correct when originally made, the implementation details of the superclass may change in the future without warning. In this case, the two objects are initially compared using the overriding after()
method; subsequently, the superclass's after()
method is explicitly invoked to perform the remainder of the comparison. But the superclass Calendar
's after()
method internally uses class Object's
compareTo()
method. Consequently, the superclass's after()
method invokes the subclass's version of compareTo()
. Because the developer of the subclass was unaware of the details of the superclass's implementation of after()
, she incorrectly assumed that the superclass's after()
method would invoke only its own methods without invoking overriding methods from the subclass. The guideline MET04-J. Ensure that constructors do not call overridable methods describes similar programming errors.
Compliant Solution
This compliant solution recommends the use of a design pattern called composition and forwarding (sometimes also referred to as delegation) [[Lieberman 1986]] and [[Gamma 1995]]. The compliant solution introduces a new forwarder class that contains a private
member field of the Calendar
type; this is composition rather than inheritance In this example, the field refers to CalendarImplementation
, a concrete instantiable implementation of the abstract
Calendar
class. The compliant solution also introduces a wrapper class called CompositeCalendar
that provides the same overridden methods found in the CalendarSubclass
from the preceding noncompliant code example.
// The CalendarImplementation object is a concrete implementation of the abstract Calendar class // Class ForwardingCalendar public class ForwardingCalendar { private final CalendarImplementation c; public ForwardingCalendar(CalendarImplementation c) { this.c = c; } CalendarImplementation getCalendarImplementation() { return c; } public boolean after(Object when) { return c.after(when); } public int compareTo(Calendar anotherCalendar) { // CalendarImplementation.compareTo() will be called return c.compareTo(anotherCalendar); } } //Class CompositeCalendar class CompositeCalendar extends ForwardingCalendar { public CompositeCalendar(CalendarImplementation ci) { super(ci); } @Override public boolean after(Object when) { // This will call the overridden version i.e. CompositeClass.compareTo(); if(when instanceof Calendar && super.compareTo((Calendar)when) == 0) { // Return true if it is the first day of week return true; } return super.after(when); // Does not compare with first day of week anymore; // Uses default comparison with epoch } @Override public int compareTo(Calendar anotherCalendar) { return compareDays(super.getCalendarImplementation().getFirstDayOfWeek(), anotherCalendar.getFirstDayOfWeek()); } private int compareDays(int currentFirstDayOfWeek, int anotherFirstDayOfWeek) { return (currentFirstDayOfWeek > anotherFirstDayOfWeek) ? 1 : (currentFirstDayOfWeek == anotherFirstDayOfWeek) ? 0 : -1; } public static void main(String[] args) { CalendarImplementation ci1 = new CalendarImplementation(); CalendarImplementation ci2 = new CalendarImplementation(); CompositeCalendar c = new CompositeCalendar(ci1); ci1.setTime(new Date()); System.out.println(c.after(ci2)); // prints true } }
Note that each method of the class ForwardingCalendar
redirects to methods of the contained class instance (CalendarImplementation
), from which it receives return values; this is the forwarding mechanism. The ForwardingCalendar
class is largely independent of the implementation of the class CalendarImplementation
. Consequently, future changes to CalendarImplementation
are unlikely to break ForwardingCalendar
and thus are also unlikely to break CompositeCalendar
, which derives from ForwardingCalendar
. Invocations of CompositeCalendar
's overriding after()
method perform the necessary comparison by using the local version of the compareTo()
method as required. Using super.after(when)
forwards to ForwardingCalendar
which invokes the CalendarImplementation
's after()
method. Consequently, ava.util.Calendar.after()
invokes CalendarImplementation
's compareTo()
method rather than the overriding version in CompositeClass
that was inappropriately called in the noncompliant code example.
Risk Assessment
Modifying a superclass without considering the effect on a subclass can introduce vulnerabilities. Subclasses that are unaware of the superclass implementation can be subject to erratic behavior resulting in inconsistent data state and mismanaged control flow.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
OBJ07-J |
medium |
probable |
high |
P4 |
L3 |
Automated Detection
Sound automated detection is not currently feasible.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[SCG 2007]] Guideline 1-3 Understand how a superclass can affect subclass behavior
[[Bloch 2008]] Item 16: "Favor composition over inheritance"
[[Gamma 1995]]
[[Lieberman 1986]]
OBJ06-J. Compare classes and not class names 08. Object Orientation (OBJ) OBJ08-J. Avoid using finalizers