Java Reference
In-Depth Information
exception if the caller attempts to use this method on the returned object. This object can
be passed to untrusted code when read access to the data is permissible.
Applicability
Failure to provide an unmodifiable, safe view of a sensitive mutable object to untrusted
code can lead to malicious tampering and corruption of the object.
Bibliography
[Long 2012]
OBJ05-J. Defensively copy private mutable class members before returning
their references
[Tutorials 2013]
Unmodifiable Wrappers
4. Ensure that security-sensitive methods are called with validated
arguments
Application code that calls security-sensitive methods must validate the arguments being
passed to the methods. In particular,
null
values may be interpreted as benign by certain
security-sensitive methods but may override default settings. Although security-sensitive
methods should be coded defensively, the client code must validate arguments that the
method might otherwise accept as valid. Failure to do so can result in privilege escalation
and execution of arbitrary code.
Noncompliant Code Example
This noncompliant code example shows the two-argument
doPrivileged()
method that
takesanaccesscontrolcontextasthesecondargument.Thiscoderestoresprivilegesfrom
a previously saved context.
AccessController.doPrivileged(
new PrivilegedAction<Void>() {
public Void run() {
// ...
}
}, accessControlContext);
