Java Reference
In-Depth Information
public CallBackAction(CallBack callback) {
this.callback = callback;
}
public void perform() {
callback.callMethod();
}
}
This code behaves the same as before, but an attacker can no longer execute malicious
callback code with elevated privileges. Even though an attacker can pass a malicious call-
back instance using the constructor of class
CallBackAction
, the code is not executed
with elevated privileges because the malicious instance must contain a
doPrivileged
block that cannot have the same privileges as trusted code. Additionally, class
CallBack-
Action
cannot be subclassed to override the
perform()
method as it is declared final.
Compliant Solution (Declare Callback Final)
This compliant solution declares the
UserLookupCallBack
class
final
to prevent over-
riding of
callMethod()
.
final class UserLookupCallBack implements CallBack {
// ...
}
// Remaining code is unchanged
Applicability
Exposingsensitivemethodsthroughcallbackscanresultinmisuseofprivilegesandarbit-
rary code execution.
Bibliography
[API 2013]
AccessController.doPrivileged()
[Long 2012]
SEC01-J. Do not allow tainted variables in privileged blocks
