You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 44 Next »

When a custom class loader needs to override the getPermissions() method, the implementation must consult the default system policy by explicitly invoking the superclass's getPermissions() method before assigning arbitrary permissions to the code source. The getPermissions() method is actually defined by SecureClassLoader, which extends ClassLoader. ClassLoader is abstract and must not be extended directly.

Noncompliant Code Example

This noncompliant code example shows a fragment of a custom class loader that extends the class URLClassLoader. It overrides the getPermissions() method and does not call the superclass's more restrictive getPermissions() method. Consequently, a class defined using this custom class loader has permissions that are completely independent of those specified in the system-wide policy file; in effect, the class's permissions override them.

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = new Permissions();
  pc.add(new RuntimePermission("exitVM"));   // allow exit from the VM anytime
  return pc;
}

Compliant Solution

In this compliant solution, the getPermissions() method calls super.getPermissions(). Consequently, the default system-wide security policy is applied, in addition to the custom policy.

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  pc.add(new RuntimePermission("exitVM"));   // allow exit from the VM anytime
  return pc;
}

Risk Assessment

Failure to consult the default system policy while defining a custom classloader violates the tenets of defensive programming and can result in classes defined with unintended permissions.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC11-J

high

probable

low

P18

L1

Automated Detection

This can be addressed with a heuristic checker in the style of FindBugs. As with all heuristic checks, achieving a low false-positive rate is essential.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3d287cab-db25-4e28-9dcd-26a2ff5295ce"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

[Class ClassLoader

http://java.sun.com/javase/6/docs/api/java/lang/ClassLoader.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="710c6c3d-6b67-4fd2-aebd-20bda0a3327e"><ac:plain-text-body><![CDATA[

[[Oaks 2001

AA. Bibliography#Oaks 01]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="92834c2a-422e-48cb-802e-6ed43439fef5"><ac:plain-text-body><![CDATA[

[[Security 2006

AA. Bibliography#Security 06]]

 

]]></ac:plain-text-body></ac:structured-macro>


SEC09-J. Do not base security checks on untrusted sources      14. Platform Security (SEC)      SEC18-J. Define wrappers around native methods

  • No labels