When a custom class loader needs to override the getPermissions()
method, the implementation should consult the default system policy by explicitly invoking the superclass's getPermissions()
method before assigning arbitrary permissions to the code source.
Noncompliant Code Example
This noncompliant code example shows a snippet of a custom class loader that extends the class URLClassLoader
. It overrides the getPermissions()
method and does not call the superclass's more restrictive getPermissions()
method. Note that URLClassLoader
's getPermissions()
method calls the Policy
class's getPermissions()
method which, by default, uses the global system-wide policy file to enforce access control. Consequently, a class defined using this custom class loader has permissions that are completely independent of those specified in the system-wide policy file; in effect, the class's permissions override them.
protected PermissionCollection getPermissions(CodeSource cs) { PermissionCollection pc = new Permissions(); pc.add(new RuntimePermission("exitVM")); //allow exit from the VM anytime return pc; }
Compliant Solution
In this compliant solution, the overridden getPermissions()
method calls super.getPermissions()
. Thus, the default system-wide security policy is consulted, in addition to the custom policy.
protected PermissionCollection getPermissions(CodeSource cs) { PermissionCollection pc = super.getPermissions(cs); pc.add(new RuntimePermission("exitVM")); return pc; }
Risk Assessment
Failure to consult the default system policy while defining a custom classloader violates the tenets of defensive programming and can result in classes defined with unintended permissions.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC11-J |
high |
probable |
low |
P18 |
L1 |
Automated Detection
This can be addressed with a heuristic checker in the style of FindBugs. As with all heuristic checks, achieving a low false-positive rate is essential.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[API 2006]] Class ClassLoader
[[Oaks 2001]]
[[Security 2006]]
SEC10-J. Define custom security permissions for fine grained security 02. Platform Security (SEC) SEC12-J. Do not grant untrusted code access to classes in inaccessible packages