A mutable input has the characteristic that its value may vary; that is, multiple accesses may see differing values. This characteristic enables potential attacks that exploit race conditions. For example, a time-of-check, time-of-use (TOCTOU) inconsistency results when a field contains a value that passes initial validation and security checks but mutates to a different value during actual use.
Additionally, returning references to an an object's internal mutable components affords an attacker with the opportunity to corrupt the state of the object. Accessor methods must consequently return defensive copies of internal mutable objects; see guideline OBJ11-J. Defensively copy private mutable class members before returning their references for additional information.
Noncompliant Code Example
This noncompliant code example contains a TOCTOU inconsistency. Because cookie is a mutable input, an attacker can cause the cookie to expire between the initial check and the actual use.
public final class MutableDemo {
// java.net.HttpCookie is mutable
public void useMutableInput(HttpCookie cookie) {
if (cookie == null) {
throw new NullPointerException();
}
// Check whether cookie has expired
if (cookie.hasExpired()) {
// Cookie is no longer valid, handle condition by throwing an exception
}
// Cookie may have expired since time of check
doLogic(cookie);
}
}
Compliant Solution
This compliant solution avoids the TOCTOU vulnerability by copying the mutable input and then perform all operations on the copy. Consequently, an attacker's changes to the mutable input cannot affect copy. Acceptable techniques include using a copy constructor or implementing the java.lang.Cloneable interface and declaring a public clone method (for classes not declared as final. In cases where the mutable class is declared final — that is, it cannot provide an accessible copy method — perform a manual copy of the object state within the caller. See guideline OBJ10-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely for more information. Note that any input validation must be performed on the copy and not on the original object.
public final class MutableDemo {
// java.net.HttpCookie is mutable
public void useMutableInput(HttpCookie cookie) {
if (cookie == null) {
throw new NullPointerException();
}
// Create copy
cookie = (HttpCookie)cookie.clone();
// Check whether cookie has expired
if (cookie.hasExpired()) {
// Cookie is no longer valid, handle condition by throwing an exception
}
doLogic(cookie);
}
}
Compliant Solution
You must make defensive copies of all mutable inputs to comply with this guideline. Some copy constructors and clone() methods perform a shallow copy of the original instance. For example, invocation of clone() on an array results in creation of an array instance whose elements have the same values as the original instance. This shallow copy is sufficient for arrays of primitive types, but fails to protect against TOCTOU vulnerabilities when the elements are references to mutable objects. Use a deep copy that performs element duplication when the input consists of mutable components, such as an array of cookies.
This compliant solution demonstrates correct use both of a shallow copy (for the array of int) and also of a deep copy (for the array of cookies).
public void deepCopy(int[] ints, HttpCookie[] cookies) {
if (ints == null || cookies == null) {
throw new NullPointerException();
}
// Shallow copy
int[] intsCopy = ints.clone();
// Deep copy
HttpCookie[] cookiesCopy = new HttpCookie[cookies.length];
for (int i = 0; i < cookies.length; i++) {
// Manually create copy of each element in array
cookiesCopy[i] = (HttpCookie)cookies[i].clone();
}
doLogic(intsCopy, cookiesCopy);
}
Noncompliant Code Example
When the class of a mutable input is non-final, an attacker can write a subclass that maliciously overrides the parent class's clone() method. The attacker's clone() method could then subvert defensive copying. This noncompliant code example demonstrates the weakness.
// java.util.ArrayList is mutable and non-final
public void copyNonFinalInput(ArrayList list) {
doLogic(list);
}
Compliant Solution
This compliant solution protects against potential malicious overriding by creating a new instance of the non-final mutable input, using the expected class rather than the class of the potentially malicious provided object. The newly created instance can be forwarded to any code capable of modifying it.
// java.util.ArrayList is mutable and non-final
public void copyNonFinalInput(ArrayList list) {
// Create new instance of declared input type
list = new ArrayList(list);
doLogic(list);
}
Noncompliant Code Example
This noncompliant code example uses the Collection interface as an input parameter and directly passes it to doLogic().
// java.util.Collection is an interface
public void copyInterfaceInput(Collection<String> collection) {
doLogic(collection);
}
Compliant Solution
This compliant solution instantiates a new ArrayList and forwards it to the doLogic() method.
public void copyInterfaceInput(Collection<String> collection) {
// Convert input to trusted implementation
collection = new ArrayList(collection);
doLogic(collection);
}
Some objects appear to be immutable because they have no mutator methods. For example, the java.lang.CharacterSequence interface describes an immutable sequence of characters. Note, however, that a variable of type CharacterSequence is a reference to an underlying object of some other class that implements the CharacterSequence interface; that other class may be mutable. When the underlying object changes, the CharacterSequence changes. Essentially, the java.lang.CharacterSequence interface omits methods that would permit object mutation through that interface, but lacks any guarantee of true immutability. Such objects must be defensively copied before use. For the case of the java.lang.CharacterSequence interface, one permissible approach is to obtain an immutable copy of the characters by using the toString() method. Mutable fields should not be stored in static variables. When there is no other alternative, create defensive copies of the fields to avoid exposing them to untrusted code.
Risk Assessment
Failing to create a copy of a mutable input may enable an attacker to exploit a TOCTOU vulnerability and at other times, expose internal mutable components to untrusted code.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO00-J |
medium |
probable |
high |
P4 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[Bloch 2008]] Item 39: Make defensive copies when needed
[[Pugh 2009]] Returning references to internal mutable state
[[SCG 2007]] Guideline 2-1 Create a copy of mutable inputs and outputs
09. Input Output (FIO) 09. Input Output (FIO) FIO01-J. Do not expose buffers created using the wrap() or duplicate() methods to untrusted code