Information leak through class cloning

From OWASP
Revision as of 14:48, 4 August 2006 by Weilin Zhong (Talk | contribs)

Jump to: navigation, search


Overview

Cloneable classes are effectively open classes since data cannot be hidden in them.

Consequences

  • Confidentiality: A class which can be cloned can be produced without executing the constructor.

Exposure period

  • Implementation: This is a style issue which needs to be adopted throughout the implementation of each class.

Platform

  • Languages: Java
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

  • Implementation: Make classes uncloneable by defining a clone function like:
public final void clone() throws java.lang.CloneNotSupportedException {
     throw new java.lang.CloneNotSupportedException();
} 
  • Implementation: If you do make your classes cloneable, ensure that your clone method is final and throw super.clone().

Discussion

Classes which do no explicitly deny cloning can be cloned by any other class without running the constructor. This is, of course, dangerous since numerous checks and security aspects of an object are often taken care of in the constructor.

Examples

public class CloneClient
{
        public CloneClient()
//throws java.lang.CloneNotSupportedException
        {
                Teacher t1 = new Teacher("guddu","22,nagar road");
    //...// Due some stuff to remove the teacher.
                Teacher t2 = (Teacher)t1.clone();
                                System.out.println(t2.name);
       }
        public static void main(String args[])
        {
                new CloneClient();
        }
}

class Teacher implements Cloneable
{
        public Object clone() {
                try { return super.clone();
                } catch (java.lang.CloneNotSupportedException e) {
                    throw new RuntimeException(e.toString());
                }
        }
        public String name;
        public String clas;
        public Teacher(String name,String clas)
        {
                this.name = name;
                this.clas = clas;

        }
}

Related problems

Not available.