SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 28

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

Member methods of non-final classes Nonfinal member methods that perform security checks can be compromised when a malicious subclass overrides the methods and omits the checks. Consequently, such methods must be declared private or final to prevent overriding.

...

This noncompliant code example allows a subclass to override the readSensitiveFile() method and omit the required security check.:

Code Block
bgColor#FFcccc

public void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    } 
    // Access the file
  } catch (SecurityException se) { 
    // Log exception  
  }
}

Compliant Solution

This compliant solution prevents overriding of the readSensitiveFile() method by declaring it final.:

Code Block
bgColor#ccccff

public final void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    } 
    // Access the file
  } catch (SecurityException se) { 
    // Log exception 
  }
}

Compliant Solution

This compliant solution prevents overriding of the readSensitiveFile() method by declaring it private.:

Code Block
bgColor#ccccff

private void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    } 
    // Access the file
  } catch (SecurityException se) { 
    // Log exception 
  }
}

Exceptions

MET03-J-EX0: Classes that are declared final are exempt from this guideline rule because their member methods cannot be overridden.

Risk Assessment

Failure to declare a non-final class's method private or final affords the opportunity for a malicious subclass to bypass the security checks performed in the methodsmethod.

Guideline

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

MET03-J

Medium

medium

Probable

probable

No

medium

No

P8

P4

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[Ware 2008|AA. Bibliography#Ware 08]\]

L3

Android Implementation Details

On Android, System.getSecurityManager() is not used, and the use of a security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.

Bibliography

[Ware 2008]

IH.2.b.b. Declare methods that enforce SecurityManager checks final—especially in non-final classes


...

Image Added Image Added Image AddedMET01-J. Validate method parameters      05. Methods (MET)      MET04-J. Ensure that constructors do not call overridable methods