GitHub
CERT Secure Coding

MET03-J. Methods that perform a security check must be declared private or final

Nonfinal member methods that perform security checks can be compromised when a malicious subclass overrides the methods and omits the checks. Consequently, such methods must be declared private or final to prevent overriding.

Noncompliant Code Example

This noncompliant code example allows a subclass to override the readSensitiveFile() method and omit the required security check:

Non-compliant code
public void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    }
    // Access the file
  } catch (SecurityException se) {
    // Log exception
  }
}

Compliant Solution

This compliant solution prevents overriding of the readSensitiveFile() method by declaring it final:

Compliant code
public final void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    }
    // Access the file
  } catch (SecurityException se) {
    // Log exception
  }
}

Compliant Solution

This compliant solution prevents overriding of the readSensitiveFile() method by declaring it private:

Compliant code
private void readSensitiveFile() {
  try {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {  // Check for permission to read file
      sm.checkRead("/temp/tempFile");
    }
    // Access the file
  } catch (SecurityException se) {
    // Log exception
  }
}

Exceptions

MET03-J-EX0: Classes that are declared final are exempt from this rule because their member methods cannot be overridden.

Risk Assessment

Failure to declare a class's method private or final affords the opportunity for a malicious subclass to bypass the security checks performed in the method.

Rule Severity Likelihood Detectable Repairable Priority Level
MET03-J Medium Probable No No P4 L3

Android Implementation Details

On Android, System.getSecurityManager() is not used, and the use of a security manager is not exercised. However, an Android developer can implement security-sensitive methods, so the principle may be applicable on Android.

Bibliography

[ Ware 2008 ]IH.2.b.b. Declare methods that enforce SecurityManager checks final—especially in non-final classes