SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 28

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 29

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added NCE

...

Also, if the object construction or initialization depends on a security check within the constructor, the security check will be bypassed if an untrusted caller obtains the partially initialized instance (see OBJ04-J. Do not allow partially initialized objects to be accessed for more details).

Noncompliant Code Example

This noncompliant code example publishes the this reference in the last statement of the constructor but is still vulnerable because the field bp is not declared volatile and has public accessibility.

Code Block
bgColor#FFcccc

class BadPublish {
  public static BadPublish bp;

  BadPublish(int number) {
    // Initialization 
    this.num = number;
    // ...
    bp = this;
  }
}

Compliant Solution

This compliant solution declares the bp field as volatile and reduces the accessibility of the static class field to package-private so that untrusted callers beyond the current package cannot obtain the this instance. More importantly, the constructor publishes the this reference after initialization has concluded.

Code Block
bgColor#ccccff
class BadPublish {
  static volatile BadPublish bp;

  BadPublish(int number) {
    // Initialization 
    this.num = number;
    // ...
    bp = this;
  }
}

If the bp field is not declared as volatile

Noncompliant Code Example

This noncompliant code example defines the ExceptionReporter interface that is implemented by the class ExceptionReporters. This class is useful for reporting exceptions after filtering out any sensitive information (EXC01-J. Use a class dedicated to reporting exceptions). The ExceptionReporters constructor, incorrectly publishes the this reference before construction of the object has concluded. This occurs in the last statement in the constructor (er.setExceptionReporter(this)) which sets the exception reporter. Because it is the last statement in the constructor, this may be misconstrued as benign.

...

Code Block
bgColor#ccccff
public class MyExceptionReporter extends ExceptionReporters {
  // ...
  public void setReporter(ExceptionReporter er) {
    super.setExceptionReporter(this);
  }
}

Noncompliant Code Example

Wiki Markup
It is possible for the {{this}} reference to implicitly get leaked outside the scope \[[Goetz 02|AA. Java References#Goetz 02]\]. Consider inner classes that maintain a copy of the {{this}} reference of the outer object.

...

Code Block
bgColor#ccccff
public class GoodExceptionReporter implements ExceptionReporter {
  private final ExceptionReporters er;

  private GoodExceptionReporter(ExceptionReporter excr) {
    er = new ExceptionReporters(excr) {
      public void report(Throwable t) {
        filter(t);
      } 
    };
  }
 
  public static GoodExceptionReporter newInstance(ExceptionReporter excr) {
    GoodExceptionReporter ger = new GoodExceptionReporter(excr);
    excr.setExceptionReporter(ger.er);
    return ger;
  }

  public void filter(Throwable t) { }

  public void report(Throwable exception) { }

  public void setExceptionReporter(ExceptionReporter er) { }
}

Noncompliant Code Example

Wiki Markup
This noncompliant code example starts a thread from within the constructor. This allows the new thread to access the {{this}} reference of the current object \[[Goetz 02|AA. Java References#Goetz 02], [Goetz 06|AA. Java References#Goetz 06]\].

...