Nonfinal member methods that perform security checks can be compromised when a malicious subclass overrides the methods and omits the checks. Consequently, such methods must be declared private or final to prevent overriding.
This noncompliant code example allows a subclass to override the readSensitiveFile() method and omit the required security check:
public void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
|
This compliant solution prevents overriding of the readSensitiveFile() method by declaring it final:
public final void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
|
This compliant solution prevents overriding of the readSensitiveFile() method by declaring it private:
private void readSensitiveFile() {
try {
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // Check for permission to read file
sm.checkRead("/temp/tempFile");
}
// Access the file
} catch (SecurityException se) {
// Log exception
}
}
|
MET03-J-EX0: Classes that are declared final are exempt from this rule because their member methods cannot be overridden.
Failure to declare a class's method private or final affords the opportunity for a malicious subclass to bypass the security checks performed in the method.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MET03-J | Medium | Probable | Medium | P8 | L2 |
On Android, System.getSecurityManager() is not used, and the use of a security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.
IH.2.b.b. Declare methods that enforce |
Â