Non-final member methods that perform security checks can be compromised when a malicious subclass overrides the methods and omits the checks. Consequently, such methods must be declared private or final to prevent overriding.
Noncompliant Code Example
This noncompliant code example allows a subclass to override the readSensitiveFile() method and omit the required security check.
public void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
Compliant Solution
This compliant solution prevents overriding of the readSensitiveFile() method by declaring it final.
public final void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
Compliant Solution
This compliant solution prevents overriding of the readSensitiveFile() method by declaring it private.
private void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
Exceptions
MET03-EX0: Classes that are declared final are exempt from this rule because their member methods cannot be overridden.
Risk Assessment
Failure to declare a class's method private or final affords the opportunity for a malicious subclass to bypass the security checks performed in the method.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MET03-J |
medium |
probable |
medium |
P8 |
L2 |
Bibliography
IH.2.b.b. Declare methods that enforce SecurityManager checks final -- especially in non-final classes. |