用于執行安全檢查的非最終方法可能會被繞過安全檢查的多種方式覆蓋。
如果一個方法被子類覆蓋,則該子類可繞過其父類中的安全檢查。
例 1:在下列代碼中,doSecurityCheck() 執行了安全檢查,并且它可被其子類覆蓋。
public class BadSecurityCheck {
private int id;
public BadSecurityCheck() {
doSecurityCheck();
id = 1;
}
protected void doSecurityCheck() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SomePermission("SomeAction"));
}
}
}
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 358
[2] M. S. Ware, "Writing secure Java code:taxonomy of heuristics and an evaluation of static analysis tools," M.S. Thesis, James Madison University, 2008.
[3] Standards Mapping - FIPS200 - (FISMA) MP