Problems may arise if defensive copies of untrusted method parameters are made and security decisions are based on these copies. An attacker can sufficiently bypass security checks under such circumstances.
Noncompliant Code Example
This noncompliant code example accepts an untrusted parameter and creates a copy using the clone()
method. This is not a good idea because a copy of the attacker's class is created instead of the system class. Any input validation routines may not work as expected when the attacker overrides the getTime()
method so that it passes validation when called for the first time, but mutates when it is used a second time. Here, the validateValue()
method is required to protect insertion of time data prior to some known time but fails to achieve this purpose.
private Boolean validateValue(long time) { // Perform validation return true; // If the time is valid } private void storeDateinDB(java.util.Date date) throws SQLException { final java.util.Date copy = (java.util.Date)date.clone(); validateValue(copy.getTime()); Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>"); PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?"); pstmt.setLong(1, copy.getTime()); // ... }
The attacker can override the getTime()
method as shown below.
public class MaliciousDate extends java.util.Date { private static int count = 0; @Override public long getTime() { java.util.Date d = new java.util.Date(); return (count++ == 1) ? d.getTime() : d.getTime() - 1000; } }
Compliant Solution
This compiant solution creates a new java.util.Date
object which is subsequently used for access control checks and insertion into the database.
private void storeDateinDB(java.util.Date date) throws SQLException { final java.util.Date copy = new java.util.Date(); validateValue(copy.getTime()); Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>"); PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?"); pstmt.setLong(1, copy.getTime()); // ... }
Risk Assessment
Using the clone()
method to copy untrusted parameters can lead to the execution of arbitrary code.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
MET39- J |
high |
likely |
low |
P27 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Sterbenz 06]]
MET38-J. Do not invoke overridable methods on the clone under construction 12. Methods (MET) 13. Exceptional Behavior (EXC)