CWE 492

Use of Inner Class Containing Sensitive Data

Weakness ID: 492 (Weakness Variant)

Status: Draft

Description

Description Summary

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

Time of Introduction

Implementation

Applicable Platforms

Languages

Java

Common Consequences

Scope	Effect
Confidentiality	"Inner Classes" data confidentiality aspects can often be overcome.

Likelihood of Exploit

Medium

Demonstrative Examples

Example 1

The following Java Applet code mistakenly makes use of an inner class.

(Bad Code)

Example Language: Java

public final class urlTool extends Applet {

private final class urlHelper {

...

}

...

}

Example 2

The following example shows a basic use of inner classes. The class OuterClass contains the private member inner class InnerClass. The private inner class InnerClass includes the method concat that accesses the private member variables of the class OuterClass to output the value of one of the private member variables of the class OuterClass and returns a string that is a concatenation of one of the private member variables of the class OuterClass, the separator input parameter of the method and the private member variable of the class InnerClass.

(Bad Code)

Example Language: Java

public class OuterClass {

// private member variables of OuterClass

private String memberOne;

private String memberTwo;

// constructor of OuterClass

public OuterClass(String varOne, String varTwo) {

this.memberOne = varOne;

this.memberTwo = varTwo;

}

// InnerClass is a member inner class of OuterClass

private class InnerClass {

private String innerMemberOne;

public InnerClass(String innerVarOne) {

this.innerMemberOne = innerVarOne;

}

public String concat(String separator) {

// InnerClass has access to private member variables of OuterClass

System.out.println("Value of memberOne is: " + memberOne);

return OuterClass.this.memberTwo + separator + this.innerMemberOne;

}

Although this is an acceptable use of inner classes it demonstrates one of the weaknesses of inner classes that inner classes have complete access to all member variables and methods of the enclosing class even those that are declared private and protected. When inner classes are compiled and translated into Java bytecode the JVM treats the inner class as a peer class with package level access to the enclosing class.

To avoid this weakness of inner classes, consider using either static inner classes, local inner classes, or anonymous inner classes.

The following Java example demonstrates the use of static inner classes using the previous example. The inner class InnerClass is declared using the static modifier that signifies that InnerClass is a static member of the enclosing class OuterClass. By declaring an inner class as a static member of the enclosing class, the inner class can only access other static members and methods of the enclosing class and prevents the inner class from accessing nonstatic member variables and methods of the enclosing class. In this case the inner class InnerClass can only access the static member variable memberTwo of the enclosing class OuterClass but cannot access the nonstatic member variable memberOne.

(Good Code)

Example Language: Java

public class OuterClass {

// private member variables of OuterClass

private String memberOne;

private static String memberTwo;

// constructor of OuterClass

public OuterClass(String varOne, String varTwo) {

this.memberOne = varOne;

this.memberTwo = varTwo;

}

// InnerClass is a static inner class of OuterClass

private static class InnerClass {

private String innerMemberOne;

public InnerClass(String innerVarOne) {

this.innerMemberOne = innerVarOne;

}

public String concat(String separator) {

// InnerClass only has access to static member variables of OuterClass

return memberTwo + separator + this.innerMemberOne;

}

The only limitation with using a static inner class is that as a static member of the enclosing class the inner class does not have a reference to instances of the enclosing class. For many situations this may not be ideal. An alternative is to use a local inner class or an anonymous inner class as shown in the next examples.

Example 3

In the following example the BankAccount class contains the private member inner class InterestAdder that adds interest to the bank account balance. The start method of the BankAccount class creates an object of the inner class InterestAdder, the InterestAdder inner class implements the ActionListener interface with the method actionPerformed. A Timer object created within the start method of the BankAccount class invokes the actionPerformed method of the InterestAdder class every 30 days to add the interest to the bank account balance based on the interest rate passed to the start method as an input parameter. The inner class InterestAdder needs access to the private member variable balance of the BankAccount class in order to add the interest to the bank account balance.

However as demonstrated in the previous example, because InterestAdder is a non-static member inner class of the BankAccount class, InterestAdder also has access to the private member variables of the BankAccount class - including the sensitive data contained in the private member variables for the bank account owner's name, Social Security number, and the bank account number.

(Bad Code)

Example Language: Java

public class BankAccount {

// private member variables of BankAccount class

private String accountOwnerName;

private String accountOwnerSSN;

private int accountNumber;

private double balance;

// constructor for BankAccount class

public BankAccount(String accountOwnerName, String accountOwnerSSN,

int accountNumber, double initialBalance, int initialRate)

{

this.accountOwnerName = accountOwnerName;

this.accountOwnerSSN = accountOwnerSSN;

this.accountNumber = accountNumber;

this.balance = initialBalance;

this.start(initialRate);

}

// start method will add interest to balance every 30 days

// creates timer object and interest adding action listener object

public void start(double rate)

{

ActionListener adder = new InterestAdder(rate);

Timer t = new Timer(1000 * 3600 * 24 * 30, adder);

t.start();

}

// InterestAdder is an inner class of BankAccount class

// that implements the ActionListener interface

private class InterestAdder implements ActionListener

{

private double rate;

public InterestAdder(double aRate)

{

this.rate = aRate;

}

public void actionPerformed(ActionEvent event)

{

// update interest

double interest = BankAccount.this.balance * rate / 100;

BankAccount.this.balance += interest;

}

In the following example the InterestAdder class from the above example is declared locally within the start method of the BankAccount class. As a local inner class InterestAdder has its scope restricted to the method (or enclosing block) where it is declared, in this case only the start method has access to the inner class InterestAdder, no other classes including the enclosing class has knowledge of the inner class outside of the start method. This allows the inner class to access private member variables of the enclosing class but only within the scope of the enclosing method or block.

(Good Code)

Example Language: Java

public class BankAccount {

// private member variables of BankAccount class

private String accountOwnerName;

private String accountOwnerSSN;

private int accountNumber;

private double balance;

// constructor for BankAccount class

public BankAccount(String accountOwnerName, String accountOwnerSSN,

int accountNumber, double initialBalance, int initialRate)

{

this.accountOwnerName = accountOwnerName;

this.accountOwnerSSN = accountOwnerSSN;

this.accountNumber = accountNumber;

this.balance = initialBalance;

this.start(initialRate);

}

// start method will add interest to balance every 30 days

// creates timer object and interest adding action listener object

public void start(final double rate)

{

// InterestAdder is a local inner class

// that implements the ActionListener interface

class InterestAdder implements ActionListener

{

public void actionPerformed(ActionEvent event)

{

// update interest

double interest = BankAccount.this.balance * rate / 100;

BankAccount.this.balance += interest;

}

ActionListener adder = new InterestAdder();

Timer t = new Timer(1000 * 3600 * 24 * 30, adder);

t.start();

}

A similar approach would be to use an anonymous inner class as demonstrated in the next example. An anonymous inner class is declared without a name and creates only a single instance of the inner class object. As in the previous example the anonymous inner class has its scope restricted to the start method of the BankAccount class.

(Good Code)

Example Language: Java

public class BankAccount {

// private member variables of BankAccount class

private String accountOwnerName;

private String accountOwnerSSN;

private int accountNumber;

private double balance;

// constructor for BankAccount class

public BankAccount(String accountOwnerName, String accountOwnerSSN,

int accountNumber, double initialBalance, int initialRate)

{

this.accountOwnerName = accountOwnerName;

this.accountOwnerSSN = accountOwnerSSN;

this.accountNumber = accountNumber;

this.balance = initialBalance;

this.start(initialRate);

}

// start method will add interest to balance every 30 days

// creates timer object and interest adding action listener object

public void start(final double rate)

{

// anonymous inner class that implements the ActionListener interface

ActionListener adder = new ActionListener()

{

public void actionPerformed(ActionEvent event)

{

// update interest

double interest = BankAccount.this.balance * rate / 100;

BankAccount.this.balance += interest;

}

};

Timer t = new Timer(1000 * 3600 * 24 * 30, adder);

t.start();

}

Example 4

In the following Java example a simple applet provides the capability for a user to input a URL into a text field and have the URL opened in a new browser window. The applet contains an inner class that is an action listener for the submit button, when the user clicks the submit button the inner class action listener's actionPerformed method will open the URL entered into the text field in a new browser window. As with the previous examples using inner classes in this manner creates a security risk by exposing private variables and methods. Inner classes create an additional security risk with applets as applets are executed on a remote machine through a web browser within the same JVM and therefore may run side-by-side with other potentially malicious code.

(Bad Code)

public class UrlToolApplet extends Applet {

// private member variables for applet components

private Label enterUrlLabel;

private TextField enterUrlTextField;

private Button submitButton;

// init method that adds components to applet

// and creates button listener object

public void init() {

setLayout(new FlowLayout());

enterUrlLabel = new Label("Enter URL: ");

enterUrlTextField = new TextField("", 20);

submitButton = new Button("Submit");

add(enterUrlLabel);

add(enterUrlTextField);

add(submitButton);

ActionListener submitButtonListener = new SubmitButtonListener();

submitButton.addActionListener(submitButtonListener);

}

// button listener inner class for UrlToolApplet class

private class SubmitButtonListener implements ActionListener {

public void actionPerformed(ActionEvent evt) {

if (evt.getSource() == submitButton) {

String urlString = enterUrlTextField.getText();

URL url = null;

try {

url = new URL(urlString.html);

} catch (MalformedURLException e) {

System.err.println("Malformed URL: " + urlString);

}

if (url != null) {

getAppletContext().showDocument(url);

}

As with the previous examples a solution to this problem would be to use a static inner class, a local inner class or an anonymous inner class. An alternative solution would be to have the applet implement the action listener rather than using it as an inner class as shown in the following example.

(Good Code)

Example Language: Java

public class UrlToolApplet extends Applet implements ActionListener {

// private member variables for applet components

private Label enterUrlLabel;

private TextField enterUrlTextField;

private Button submitButton;

// init method that adds components to applet

public void init() {

setLayout(new FlowLayout());

enterUrlLabel = new Label("Enter URL: ");

enterUrlTextField = new TextField("", 20);

submitButton = new Button("Submit");

add(enterUrlLabel);

add(enterUrlTextField);

add(submitButton);

submitButton.addActionListener(this);

}

// implementation of actionPerformed method of ActionListener interface

public void actionPerformed(ActionEvent evt) {

if (evt.getSource() == submitButton) {

String urlString = enterUrlTextField.getText();

URL url = null;

try {

url = new URL(urlString.html);

} catch (MalformedURLException e) {

System.err.println("Malformed URL: " + urlString);

}

if (url != null) {

getAppletContext().showDocument(url);

}

Potential Mitigations

Phase: Implementation

Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.

Phase: Implementation

Inner Classes do not provide security. Warning: Never reduce the security of the object from an outer class, going to an inner class. If an outer class is final or private, ensure that its inner class is private as well.

Other Notes

Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in their enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.

Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	485	Insufficient Encapsulation	Seven Pernicious Kingdoms (primary)700
ChildOf	Category	490	Mobile Code Issues	Development Concepts (primary)699
ChildOf	Weakness Class	668	Exposure of Resource to Wrong Sphere	Research Concepts (primary)1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
7 Pernicious Kingdoms			Mobile Code: Use of Inner Class
CLASP			Publicizing of private data when using inner classes

Content History

Submissions
Submission Date	Submitter	Organization	Source
	7 Pernicious Kingdoms		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Demonstrative Examples
2009-12-28	CWE Content Team	MITRE	Internal
2009-12-28	updated Demonstrative Examples, Potential Mitigations
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Mobile Code: Use of Inner Class

CWE 492

COMPANY

STANDARDS

RECENT POSTS

MENU