SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 33

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 34

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Calling overridable methods from the clone() method is insecure for two reasons. First, a malicious subclass may override the method and affect the behavior of the clone() method. Second, a trusted subclass can observe (and potentially modify) the cloned object in an uninitialized a partially-initialized state before its construction has concluded. Consequently, it is possible to leave the clone as well as the subclass can leave either the clone, or the object being cloned, or both in an inconsistent state.

...

This noncompliant code example shows two classes, BadClone and Sub. BadClone calls an overridable method doSomething(). The overridden method sets the value of the cookies whereas ; the overriding method sets the values of the domain names. At runtime, because of polymorphism, the The doSomething() method of the subclass Sub is erroneously executed . Not only does the subclass see at runtime, because of polymorphism. The subclass not only sees the clone in an inconsistent state, its doSomething() method modifies it but also modifies the clone in a way manner that creates inconsistent copies. This is because the deepCopy() method occurs after the call to the doSomething() method and the overriding doSomething() implementation erroneously modifies the object .

...

This compliant solution declares both the doSomething() and the deepCopy() methods final, preventing overriding of these methods from being overridden.

Code Block
bgColor#ccccff
final void doSomething() {
  // ...
}
final HttpCookie[] deepCopy() {
  // ...
}

Alternatively, it is permissible to declare the methods private or to declare the class final. Eliminating Alternative approaches that prevent invocation of overloaded methods include declaring these methods private, declaring the class final, or eliminating the method calls by congregating the code together is also permissible.

Risk Assessment

Calling overridable methods on the clone under construction , can leave its state or that can expose class internals to malicious code or violate class invariants by exposing the clone to trusted code in a partially-initialized state, affording the opportunity to corrupt the state either of the clone, or of the object being cloned, inconsistentor of both.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

MET07-J

medium

probable

low

P12

L1

Automated Detection

TODOAutomated detection appears to be straightforward.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...