Skip to end of metadata
Go to start of metadata

When a custom class loader must override the getPermissions() method, the implementation must consult the default system policy by explicitly invoking the superclass's getPermissions() method before assigning arbitrary permissions to the code source. A custom class loader that ignores the superclass's getPermissions() could load untrusted classes with elevated privileges. ClassLoader is abstract and must not be directly subclassed. 

Noncompliant Code Example

This noncompliant code example shows a fragment of a custom class loader that extends the class URLClassLoader. It overrides the getPermissions() method but does not call its superclass's more restrictive getPermissions() method. Consequently, a class defined using this custom class loader has permissions that are completely independent of those specified in the systemwide policy file. In effect, the class's permissions override them.

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = new Permissions();
  // Allow exit from the VM anytime
  pc.add(new RuntimePermission("exitVM"));
  return pc;
}

Compliant Solution

In this compliant solution, the getPermissions() method calls super.getPermissions(). As a result, the default systemwide security policy is applied in addition to the custom policy.

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  // Allow exit from the VM anytime
  pc.add(new RuntimePermission("exitVM"));
  return pc;
}

Risk Assessment

Failure to consult the default system policy while defining a custom class loader violates the tenets of defensive programming and can result in classes defined with unintended permissions.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC07-J

High

Probable

Low

P18

L1

Automated Detection

Violations of this rule can be discovered with a heuristic checker in the style of FindBugs. As with all heuristic checks, achieving a low false-positive rate is essential.

Android Implementation Details

The java.security package exists on Android for compatibility purposes only, and it should not be used.

Bibliography

 


5 Comments

  1. TODO Check whether any of the existing checkers already embody this rule.

  2. What if a class extends ClassLoader itself, which has no getPermissions() method?

    1. Added this as an exception.

      1. Based on further discussions, removed the exception, and added normative text forbidding code from subclassing ClassLoader directory (which would bypass permissions).

        1. The normative text disappeared when we made the intro, I've restored it.