SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

A non-final class or method, which is not meant to be inherited, can be overridden by an attacker, if it is not declared as final [3].

In case inheritance is to be limited to trusted implementations for a public, non-final class, then the class type should be confirmed before creating the instance at each place where an instance of the non-final class can be created. A SecurityManager check should be enforced on detecting a subclass (Chapter 6 of [2]).

A non-final class can be subverted simply by declaring a malicious class that inherits from the non-final class which implies that there is no need for reflection. However, reflection is necessary if the non-final class is private or otherwise inaccessible to the attacker.

Non Compliant code example:


class BankOperation{


	//the account balance has already been retrieved from the database and stored in the foll variable
    Integer balance = 5000;


    public BankOperation() {

    	//invoke java.lang.Object.getClass to get class instance
    	Class clazz = getClass();
    	//shows the class of the instantiated object
    	System.out.println(clazz);
        Method m;
		try {
			m = clazz.getMethod(balance.toString(), (Class[])null);
			m.invoke(this, (Object[])null) ;
		} catch (Exception e) {
			//e.printStackTrace();
		}

    }

    public void getBalance() {
        System.out.println("The current balance is: $" + balance);
    }

}

//this class has been written by the attacker
public class SubClass extends BankOperation {

	public void getBalance() {

		//The attacker can change his account balance to any value he wants.
		InputStreamReader input = new InputStreamReader(System.in);
        BufferedReader reader = new BufferedReader(input);
		System.out.print(" Enter balance: ");
		try {
			balance = Integer.parseInt(reader.readLine());

		} catch (IOException e) {
			//e.printStackTrace();
		}

        System.out.println("The balance is: "+balance);
    }

	public static void main(String[] args) {
        SubClass subclass = new SubClass();
        subclass.getBalance();
    }
}

Here, an attacker can easily create an instance and override methods of the BankOperation class.

Compliant Solution:

This compliant solution can be achieved by using the keyword final, thus ensuring that the sensitive class cannot be extended.

final class BankOperation{
//normal coding...
}

In case the class needs to be extended, then permissions should be checked in case a sub class is detected during construction so that malicious implementations are blocked.

Risk Assessment:

Allowing a non-final class or method to be inherited without checking the class instances, allows an attacker to exploit it.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

OBJ33-J

high

probable

high

P6

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website

Reference:

SCG 07 Secure Coding Guidelines for the Java Programming Language

  • No labels