Nonfinal member methods that perform security checks can be compromised when a malicious subclass overrides the methods and omits the checks. Consequently, such methods must be declared private or final to prevent overriding.
Noncompliant Code Example
...
This compliant solution prevents overriding of the readSensitiveFile() method by declaring it final:
| Code Block | ||
|---|---|---|
| ||
public final void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
|
...
This compliant solution prevents overriding of the readSensitiveFile() method by declaring it private:
| Code Block | ||
|---|---|---|
| ||
private void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
|
Exceptions
MET03-J-EX0: Classes that are declared final are exempt from this rule because their member methods cannot be overridden.
...
Failure to declare a class's method private or final affords the opportunity for a malicious subclass to bypass the security checks performed in the method.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
MET03-J | Medium | Probable |
No | No |
P4 |
L3 |
Android Implementation Details
On Android, System.getSecurityManager() is not used, and the use of a security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.
Bibliography
IH.2.b.b. Declare methods that enforce |
...