Java Security
Rules available in this category:
- Reduce_scope_of_public_or_protected_methods
- Reduce_scope_of_package_private_methods
- Reduce_scope_of_public_or_protected_classes
- Reduce_scope_of_package_private_classes
- Reduce_scope_of_public_or_protected_fields
- Reduce_scope_of_package_private_fields
- Avoid_passing_byte_array_to_writeObject
- Inspect_usage_of_random_methods
- Inspect_usage_dynamically_created_strings_in_execute_executeQuery_executeUpdate_or_addBatch_methods
- Always_ensure_Security_Manager_is_set
- Inspect_usage_of_dynamically_created_strings_in_exec_method
- Avoid_overriding_any_ClassLoader_method_other_than_loadClass
- Always_ensure_all_exceptions_are_logged_or_rethrown
- Inspect_fields_of_serializable_objects
- Avoid_creating_your_own_SecurityManager
- Inspect_instantiations_of_ClassLoader_objects
- Inspect_usage_of_getName_method_of_Class_object
- Avoid_calling_printStackTrace_method_of_Throwable_objects
- Always_declare_readObject_and_writeObject_as_private
- Avoid_comparing_classes_by_name
- Make_classes_non_serializable
- Inspect_package_scope_access
- Always_implement_readObject_for_serializable_class
- Make_classes_non_deserializable
- Avoid_collection_type_fields_in_public_interface
- Avoid_array_type_fields_in_public_interface
- Make_classes_non_cloneable
- Clone_method_should_throw_CloneNotSupportedException
- Always_use_final_modifier_for_Clone_method
- Avoid_protected_member_in_final_class
- Avoid_using_inner_classes
- Avoid_public_access_for_inner_classes
Rule 1: Reduce_scope_of_public_or_protected_methods
Severity:
Low
Rule:
Avoid granting more access than is required.
Reason:
Avoid granting more access than is required.
Usage Example:
public class Test
{
public int getSize() // VIOLATION
{
return 3;
}
public void fubar()
{
int size = getSize();
}
}
Should be written as:
public class Test
{
private int getSize()
{
return 3;
}
public void fubar()
{
int size = getSize();
}
}
Reference:
Not available.
Rule 2: Reduce_scope_of_package_private_methods
Severity:
Low
Rule:
Avoid granting more access than is required.
Reason:
Avoid granting more access than is required.
Usage Example:
package myPackage;
public class Test
{
int getSize() // VIOLATION
{
return 3;
}
public void fubar()
{
int size = getSize();
}
}
Should be written as:
package myPackage;
public class Test
{
private int getSize() // FIXED
{
return 3;
}
public void fubar()
{
int size = getSize();
}
}
Reference:
Not available.
Rule 3: Reduce_scope_of_public_or_protected_classes
Severity:
Low
Rule:
Avoid granting more access than is required.
Reason:
Avoid granting more access than is required.
Usage Example:
public class MyClass // VIOLATION
{
//...
}
class Test
{
public MyClass instance = new MyClass();
}
Should be written as:
class MyClass // FIXED
{
//...
}
class Test
{
public MyClass instance = new MyClass();
}
Reference:
Not available.
Rule 4: Reduce_scope_of_package_private_classes
Severity:
Low
Rule:
Avoid granting more access than is required.
Reason:
Avoid granting more access than is required.
Usage Example:
package myPackage;
public class Test
{
class SomeClass // VIOLATION
{
public void performAction()
{
//....
}
}
class AnotherInner
{
public void fubar()
{
SomeClass class1 = new SomeClass();
class1.performAction();
}
}
}
Should be written as:
package myPackage;
public class Test
{
private class SomeClass // FIXED
{
public void performAction()
{
//....
}
}
class AnotherInner
{
public void fubar()
{
SomeClass class1 = new SomeClass();
class1.performAction();
}
}
}
Reference:
Not available.
Rule 5: Reduce_scope_of_public_or_protected_fields
Severity:
Low
Rule:
Avoid granting more access than is required.
Reason:
Avoid granting more access than is required.
Usage Example:
public class Test
{
public int myField; // VIOLATION
protected int anotherField; // VIOLATION
public void setMyField(int i)
{
myField = i;
}
public void setAnotherField(int i)
{
anotherField = i;
}
}
Should be written as:
public class Test
{
private int myField; // FIXED
private int anotherField; // FIXED
public void setMyField(int i)
{
myField = i;
}
public void setAnotherField(int i)
{
anotherField = i;
}
}
Reference:
Not available.
Rule 6: Reduce_scope_of_package_private_fields
Severity:
Low
Rule:
Avoid granting more access than is required.
Reason:
Avoid granting more access than is required.
Usage Example:
public class Test
{
int myField; // VIOLATION
public void setMyField(int i)
{
myField = i;
}
}
Should be written as:
public class Test
{
private int myField; // FIXED
public void setMyField(int i)
{
myField = i;
}
}
Reference:
Not available.
Rule 7: Avoid_passing_byte_array_to_writeObject
Severity:
Medium
Rule:
Do not pass class fields of type byte array to ObjectOutputStream.write().
Reason:
Do not pass class fields of type byte array to ObjectOutputStream.write().
Usage Example:
package com.rule;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.Serializable;
public class Avoid_passing_byte_array_to_ObjectOutputStream_write_method_violation implements Serializable
{
private byte[] data;
private void writeObject(ObjectOutputStream out) throws IOException
{
out.write(data); // VIOLATION
byte[] tmp = new byte[0];
out.write(tmp);
}
}
Should be written as:
package com.rule;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.Serializable;
public class Avoid_passing_byte_array_to_ObjectOutputStream_write_method_correction implements Serializable
{
private byte[] data;
private void writeObject(ObjectOutputStream out) throws IOException
{
out.write((byte[])data.clone());
byte[] tmp = new byte[0];
out.write(tmp);
}
}
Reference:
Reference Not Available.
Rule 8: Inspect_usage_of_random_methods
Severity:
Low
Rule:
Inspect Random objects or Math.random methods that could indicate areas where malicious code has been placed.
Reason:
Inspect Random objects or Math.random methods that could indicate areas where malicious code has been placed.
Usage Example:
public class Test
{
public static String fubar()
{
String s = "";
for (int k = 0; k < 6; ++k)
{
s += (char)(Math.random() * 26 + 'A'); // VIOLATION
}
return s + "+";
}
}
Should be written as:
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class Test
{
public static String fubar()
{
String s = "";
SecureRandom prng = null;
try
{
prng = SecureRandom.getInstance("SHA1PRNG");
}
catch (NoSuchAlgorithmException e)
{
e.printStackTrace();
}
if(prng != null)
{
for (int k = 0; k < 6; ++k)
{
s += (char)(prng.nextDouble() * 26 + 'A'); // VIOLATION
}
}
return s + "+";
}
}
Reference:
http://java.sun.com/j2se/1.4.2/docs/api/java/security/SecureRandom.html
Rule 9: Inspect_usage_dynamically_created_strings_in_execute_executeQuery_executeUpdate_or_addBatch_methods
Severity:
Low
Rule:
Dynamically created strings passed to these methods could modify the database in an undesired manner.
Reason:
Dynamically created strings passed to these methods could modify the database in an undesired manner.
Usage Example:
public class Test
{
public void killMyDatabase(Connection con, String query)
{
if(con != null)
{
Statement stmt = con.createStatement();
ResultSet = statement.executeQuery(query); // VIOLATION
//...
}
}
}
Should be written as:
Investigate to ensure proper validation is present or any invocations to this method do not pass strings which could contain malicious code.
Reference:
Not available.
Rule 10: Always_ensure_Security_Manager_is_set
Severity:
Low
Rule:
The security manager is a class that allows applications to implement a security policy.
Reason:
The security manager is a class that allows applications to implement a security policy.
Usage Example:
public class Test
{
public static void main(String[] args) // VIOLATION
{
//...
}
}
Should be written as:
public class Test
{
public static void main(String[] args)
{
SecurityManager security = System.getSecurityManager(); // FIXED
if (security != null)
{
security.checkXXX(argument, . . . );
}
//...
}
}
Reference:
http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html
Rule 11: Inspect_usage_of_dynamically_created_strings_in_exec_method
Severity:
Low
Rule:
Dynamically created strings passed to the exec method could execute a command which might violate security on the host machine.
Reason:
Dynamically created strings passed to the exec method could execute a command which might violate security on the host machine.
Usage Example:
public class Test
{
public void fubar(String deadlyCommand)
{
Runtime.getRuntime().exec(deadlyCommand); // VIOLATION
Runtime.getRuntime().exec(new String[]{deadlyCommand}); // VIOLATION
}
}
Should be written as:
Investigate to ensure proper validation is present or any invocations to this method do not pass strings which could contain malicious code.
Reference:
Not available.
Rule 12: Avoid_overriding_any_ClassLoader_method_other_than_loadClass
Severity:
Low
Rule:
loadClass method is usually enough to do the job and overriding other methods might introduce certain security loopholes.
Reason:
loadClass method is usually enough to do the job and overriding other methods might introduce certain security loopholes.
Usage Example:
package myPackage;
public class Test extends ClassLoader
{
/* (non-Javadoc)
* @see java.lang.ClassLoader#clearAssertionStatus()
*/
public synchronized void clearAssertionStatus() // VIOLATION
{
//...
}
public void fubar()
{
//...
}
}
class myClassLoader extends Test
{
/* (non-Javadoc)
* @see myPackage.Test#fubar()
*/
public void fubar() // VIOLATION
{
//...
}
/* (non-Javadoc)
* @see java.lang.ClassLoader#loadClass(java.lang.String)
*/
public Class loadClass(String arg0) throws ClassNotFoundException
{
//...
return super.loadClass(arg0);
}
}
Should be written as:
Reference:
http://www.securingjava.com/chapter-two/chapter-two-7.html
Rule 13: Always_ensure_all_exceptions_are_logged_or_rethrown
Severity:
Low
Rule:
Loggers are configurable and flexible, and basically one can decide which level of severity it wants to report/act on, on a package-by-package basis.
Reason:
Loggers are configurable and flexible, and basically one can decide which level of severity it wants to report/act on, on a package-by-package basis.
Usage Example:
public class Test
{
public void fubar()
{
try
{
//...
}
catch(NoSuchMethodException e) // VIOLATION
{
e.printStackTrace();
}
}
}
Should be written as:
public class Test
{
public void fubar()
{
try
{
//...
}
catch (NoSuchMethodException e) // FIXED
{
LOG.error("Blah", e);
}
}
}
Reference:
http://today.java.net/pub/a/today/2006/04/06/exception-handling-antipatterns.html
Rule 14: Inspect_fields_of_serializable_objects
Severity:
Low
Rule:
Inspect fields of serializable objects to make sure they do not expose any sensitive information.
Reason:
Inspect fields of serializable objects to make sure they do not expose any sensitive information.
Usage Example:
import java.io.*;
public class Test implements Serializable
{
protected int myKey = 3235; // VIOLATION
//...
}
Should be written as:
Inspect field to check if it does not disclose any sensitive information.
Reference:
Not available.
Rule 15: Avoid_creating_your_own_SecurityManager
Severity:
Medium
Rule:
For many applications, the default security manager is sufficient since a custom security manager could have certain loopholes and basically require investigation.
Reason:
For many applications, the default security manager is sufficient since a custom security manager could have certain loopholes and basically require investigation.
Usage Example:
class FascistSecurityManager extends SecurityManager // VIOLATION
{
// ...
}
Should be written as:
Investigate for any possible loopholes.
Reference:
Not available.
Rule 16: Inspect_instantiations_of_ClassLoader_objects
Severity:
Low
Rule:
ClassLoader could be used to load an arbitrary class and call an arbitrary method which could be a possible security thread.
Reason:
ClassLoader could be used to load an arbitrary class and call an arbitrary method which could be a possible security thread.
Usage Example:
import java.util.Hashtable;
public class Test extends ClassLoader
{
private Hashtable classes = new Hashtable();
public synchronized Class loadClass(String className, boolean resolveIt)
throws ClassNotFoundException
{
Class result = (Class)classes.get(className);
if (result != null)
{
System.out.println(" >>>>>> returning cached result.");
return result;
}
if (className.startsWith("java."))
{
throw new ClassNotFoundException(); // malicious code
}
return null;
}
public void test()
{
Test t = new Test(); // VIOLATION
try
{
t.loadClass("myClass");
}
catch (ClassNotFoundException e)
{
e.printStackTrace();
}
}
}
Should be written as:
Inspect custom ClassLoader
Reference:
Not available.
Rule 17: Inspect_usage_of_getName_method_of_Class_object
Severity:
Low
Rule:
Inspect usage of getName from java.lang.Class object.
Reason:
Inspect usage of getName from java.lang.Class object.
Usage Example:
public class Test
{
public void fubar()
{
try
{
//...
}
catch(Exception e)
{
System.err.println(e.getClass().getName() + ": " + e.getMessage()); // VIOLATION
}
}
}
Should be written as:
public class Test
{
public void fubar()
{
try
{
//...
}
catch(Exception e)
{
System.err.println(e.getMessage()); // FIXED
}
}
}
Reference:
Not available.
Rule 18: Avoid_calling_printStackTrace_method_of_Throwable_objects
Severity:
Medium
Rule:
printStackTrace might reveal internal program information.
Reason:
printStackTrace might reveal internal program information.
Usage Example:
public class MyClass
{
public static void printFile(String name)
{
try
{
InputStream in= new FileInputStream(name);
//...
}
catch (FileNotFoundException e)
{
e.printStackTrace(); //VIOLATION
}
}
}
Should be written as:
public class MyClass
{
public static void printFile(String name)
{
try
{
InputStream in= new FileInputStream(name);
//...
}
catch (FileNotFoundException e)
{
// CORRECTION
// or log the exception
}
}
}
Reference:
No references available.
Rule 19: Always_declare_readObject_and_writeObject_as_private
Severity:
Medium
Rule:
Java serialization protocol requires you to declare readObject() and writeObject() private.
Reason:
Java serialization protocol requires you to declare readObject() and writeObject() private.
Usage Example:
import java.io.*;
public class KeepPrivate implements Serializable
{
static final long serialVersionUID = 23452963472762;
public void writeObject(ObjectOutputStream s) throwsIOException
// VIOLATION
{
s.defaultWriteObject();
}
public void readObject(ObjectInputStream s) throwsIOException, ClassNotFoundException // VIOLATION
{
s.defaultReadObject();
}
}
Should be written as:
import java.io.*;
public class KeepPrivate implements Serializable
{
static final long serialVersionUID = 23452963472762;
private void writeObject(ObjectOutputStream s) throws IOException
// CORRECTION
{
s.defaultWriteObject();
}
private void readObject(ObjectInputStream s) throws IOException, ClassNotFoundException// CORRECTION
{
s.defaultReadObject();
}
}
Reference:
http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/security.html
Rule 20: Avoid_comparing_classes_by_name
Severity:
Medium
Rule:
Do not compare classes by name to avoid any security issues
Reason:
Do not compare classes by name to avoid any security issues
Usage Example:
package com.rule;
class Avoid_comparing_classes_by_name_violation
{
public boolean isClassOK(Class cls)
{
return cls.getName().equals("SomeClassName"); // VIOLATION
}
}
Should be written as:
package com.rule;
class Avoid_comparing_classes_by_name_correction
{
public boolean isClassOK(Class cls)
{
return cls == this.getClassLoader().loadClass("SomeClassName"); // CORRECTION
}
}
Reference:
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.html
Rule 21: Make_classes_non_serializable
Severity:
Medium
Rule:
Make your classes non serializable to avoid security issues
Reason:
Make your classes non serializable to avoid security issues
Usage Example:
package com.rule;
class Make_class_non_serializable_violation
{
}
Should be written as:
package com.rule;
import java.io.ObjectOutputStream;
class Make_class_non_serializable_correction
{
private final void writeObject(ObjectOutputStream out) throws java.io.IOException
{
throw new java.io.IOException("Object cannot be serialized");
}
}
Reference:
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.html
Rule 22: Inspect_package_scope_access
Severity:
Medium
Rule:
Give your classes, methods, and fields the most restricted access possible.
Reason:
Give your classes, methods, and fields the most restricted access possible.
Usage Example:
class MyClass // VIOLATION
{
}
Should be written as:
Reference:
http://java.sun.com/j2se/1.3/docs/guide/extensions/spec.html#sealing
Rule 23: Always_implement_readObject_for_serializable_class
Severity:
Medium
Rule:
It is preferrable to always implement readObject method to validate all serialized data to guarantee security and class invariants.
Reason:
It is preferrable to always implement readObject method to validate all serialized data to guarantee security and class invariants.
Usage Example:
import java.io.*;
public class AlwaysImplement_readObject_forSerializableClass implements Serializable // VIOLATION
{
private int _max;
private static final long serialVersionUID = 1;
public void setMax (int max)
{
_max = max;
}
public int getMax ()
{
return _max;
}
}
Should be written as:
public class AlwaysImplement_readObject_forSerializableClass implements Serializable
{
private int _max;
private static final long serialVersionUID = 1;
private void readObject (ObjectInputStream in) // CORRECTION
throws IOException, ClassNotFoundException
{
in.defaultReadObject ();
if ( _max < 0 ) // validation assuming max should always be positive
throw new IOException ("Illegal max value read: " + _max);
}
public void setMax (int max)
{
_max = max;
}
public int getMax ()
{
return _max;
}
}
Reference:
Joshua Bloch: "Effective Java - Programming Language Guide" - Addison Wesley, 2001, pp. 218-219
Rule 24: Make_classes_non_deserializable
Severity:
Medium
Rule:
Make classes non deserializable to avoid any security issues
Reason:
Make classes non deserializable to avoid any security issues
Usage Example:
package com.rule;
class Make_class_non_deserializable_violation
{
}
Should be written as:
package com.rule;
import java.io.ObjectInputStream;
class Make_class_non_deserializable_correction
{
// CORRECTION - By writing the following method in your class, will make your
// make your class non desrializable. NOTE: The method should be declared as final,
// so that a subclass defined by the adversary cannot override it.
private final void readObject(ObjectInputStream in) throws java.io.IOException
{
throw new java.io.IOException("Class cannot be deserialized");
}
}
Reference:
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.html
Rule 25: Avoid_collection_type_fields_in_public_interface
Severity:
Medium
Rule:
Avoid declaring collection type fields in public interface.
Reason:
Avoid declaring collection type fields in public interface.
Usage Example:
package com.rule;
public interface Avoid_collection_type_fields_in_public_interface_violation
{
final static int i = 10;
final static Hashtable numbers = new Hashtable(); // Violation
final static Collection c = new ArrayList(); // Violation
}
Should be written as:
Reference:
Reference not available.
Rule 26: Avoid_array_type_fields_in_public_interface
Severity:
Medium
Rule:
Avoid declaring array type fields in public interface.
Reason:
Avoid declaring array type fields in public interface.
Usage Example:
package com.rule;
public interface Avoid_array_type_fields_in_public_interface_violation
{
final static int i = 10;
final static int Myarray[] = {10,20,30}; //Violation.
}
Should be written as:
Reference:
Reference not available.
Rule 27: Make_classes_non_cloneable
Severity:
Medium
Rule:
Make classes non cloneable to avoid any security issues
Reason:
Make classes non cloneable to avoid any security issues
Usage Example:
package com.rule;
class Make_class_non_cloneable_violation // VIOLATION
{
}
Should be written as:
package com.rule;
class Make_class_non_cloneable_correction
{
public final Object clone() throws java.lang.CloneNotSupportedException // CORRECTION
{
throw new java.lang.CloneNotSupportedException();
}
}
Reference:
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.html
Rule 28: Clone_method_should_throw_CloneNotSupportedException
Severity:
Medium
Rule:
Clone method should throw CloneNotSupportedException.
Reason:
Clone method should throw CloneNotSupportedException.
Usage Example:
package com.rule;
class Clone_method_should_throw_CloneNotSupportedException_violation implements Cloneable
{
protected Object clone()
{
return null;
}
}
Should be written as:
package com.rule;
class Clone_method_should_throw_CloneNotSupportedException_violation implements Cloneable
{
protected Object clone() throws CloneNotSupportedException
{
return null;
}
}
Reference:
Joshua Bloch : "Effective Java - Programming Language Guide" Addison Wesley, 2001
Rule 29: Always_use_final_modifier_for_Clone_method
Severity:
Medium
Rule:
Always use final modifier for Clone method.
Reason:
Always use final modifier for Clone method.
Usage Example:
package com.rule;
public class Always_use_final_modifier_for_Clone_method implements Cloneable
{
public Object clone () throws CloneNotSupportedException // VIOLATION
{
}
}
Should be written as:
package com.rule;
public class Always_use_final_modifier_for_Clone_method implements Cloneable
{
public final Object clone () throws CloneNotSupportedException //Correction.
{
}
}
Reference:
Reference not available.
Rule 30: Avoid_protected_member_in_final_class
Severity:
Medium
Rule:
Avoid protected member in final class
Reason:
Avoid protected member in final class
Usage Example:
package com.rule;
final class Avoid_protected_member_in_final_class_violation
{
protected int value; // VIOLATION
}
Should be written as:
package com.rule;
final class Avoid_protected_member_in_final_class_correction
{
int value; // CORRECTION
}
Reference:
Reference Not Available.
Rule 31: Avoid_using_inner_classes
Severity:
Medium
Rule:
Avoid using inner classes for security reasons
Reason:
Avoid using inner classes for security reasons
Usage Example:
package com.rule;
class Avoid_using_inner_classes_violation
{
// some private field declarations
// and required accessor methods
class Avoid_using_inner_classes_InnerClass
{
public void takeAction()
{
// accessing private fields of outer class here
}
}
}
Should be written as:
package com.rule;
public class Avoid_using_inner_classes_correction
{
// some private field declarations
// and required accessor methods
}
class Avoid_using_inner_classes_InnerClass2
{
public void takeAction()
{
// use accessor methods of the other class.
}
}
Reference:
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.html
Rule 32: Avoid_public_access_for_inner_classes
Severity:
Medium
Rule:
Do not give public access for inner classes to avoid any security issues
Reason:
Do not give public access for inner classes to avoid any security issues
Usage Example:
package com.rule;
class Avoid_public_access_for_inner_classes_violation
{
public class Avoid_public_access_for_inner_classes_InnerClass // VIOLATION
{
public void takeAction()
{
}
}
}
Should be written as:
package com.rule;
class Avoid_public_access_for_inner_classes_correction
{
private class Avoid_public_access_for_inner_classes_InnerClass // CORRECTION
{
public void takeAction()
{
}
}
}
Reference:
http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.html