CWE-492: Use of Inner Class Containing Sensitive Data
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers.
For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts.
For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers.
For users who wish to see all available information for the CWE/CAPEC entry.
For users who want to customize what details are displayed.
×
Edit Custom FilterInner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in its enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.
This table specifies different individual consequences
associated with the weakness. The Scope identifies the application security area that is
violated, while the Impact describes the negative technical impact that arises if an
adversary succeeds in exploiting this weakness. The Likelihood provides information about
how likely the specific consequence is expected to be seen relative to the other
consequences in the list. For example, there may be high likelihood that a weakness will be
exploited to achieve a certain impact, but a low likelihood that it will be exploited to
achieve a different impact.
This table shows the weaknesses and high level categories that are related to this
weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to
similar items that may exist at higher and lower levels of abstraction. In addition,
relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user
may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
The different Modes of Introduction provide information
about how and when this
weakness may be introduced. The Phase identifies a point in the life cycle at which
introduction
may occur, while the Note provides a typical scenario related to introduction during the
given
phase.
This listing shows possible areas for which the given
weakness could appear. These
may be for specific named Languages, Operating Systems, Architectures, Paradigms,
Technologies,
or a class of such platforms. The platform is listed along with how frequently the given
weakness appears for that instance.
Languages Java (Undetermined Prevalence) Example 1 The following Java Applet code mistakenly makes use of an inner class. (bad code)
Example Language: Java
public final class urlTool extends Applet {
private final class urlHelper { }... }... Example 2 The following example shows a basic use of inner classes. The class OuterClass contains the private member inner class InnerClass. The private inner class InnerClass includes the method concat that accesses the private member variables of the class OuterClass to output the value of one of the private member variables of the class OuterClass and returns a string that is a concatenation of one of the private member variables of the class OuterClass, the separator input parameter of the method and the private member variable of the class InnerClass. (bad code)
Example Language: Java
public class OuterClass {
// private member variables of OuterClass
}private String memberOne; private String memberTwo; // constructor of OuterClass public OuterClass(String varOne, String varTwo) { this.memberOne = varOne; }this.memberTwo = varTwo; // InnerClass is a member inner class of OuterClass private class InnerClass { private String innerMemberOne; }public InnerClass(String innerVarOne) { this.innerMemberOne = innerVarOne; }public String concat(String separator) {
// InnerClass has access to private member variables of OuterClass
}System.out.println("Value of memberOne is: " + memberOne); return OuterClass.this.memberTwo + separator + this.innerMemberOne; Although this is an acceptable use of inner classes it demonstrates one of the weaknesses of inner classes that inner classes have complete access to all member variables and methods of the enclosing class even those that are declared private and protected. When inner classes are compiled and translated into Java bytecode the JVM treats the inner class as a peer class with package level access to the enclosing class. To avoid this weakness of inner classes, consider using either static inner classes, local inner classes, or anonymous inner classes. The following Java example demonstrates the use of static inner classes using the previous example. The inner class InnerClass is declared using the static modifier that signifies that InnerClass is a static member of the enclosing class OuterClass. By declaring an inner class as a static member of the enclosing class, the inner class can only access other static members and methods of the enclosing class and prevents the inner class from accessing nonstatic member variables and methods of the enclosing class. In this case the inner class InnerClass can only access the static member variable memberTwo of the enclosing class OuterClass but cannot access the nonstatic member variable memberOne. (good code)
Example Language: Java
public class OuterClass {
// private member variables of OuterClass private String memberOne; private static String memberTwo; // constructor of OuterClass public OuterClass(String varOne, String varTwo) { this.memberOne = varOne; }this.memberTwo = varTwo; // InnerClass is a static inner class of OuterClass private static class InnerClass { private String innerMemberOne; public InnerClass(String innerVarOne) { this.innerMemberOne = innerVarOne; }public String concat(String separator) {
// InnerClass only has access to static member variables of OuterClass
return memberTwo + separator + this.innerMemberOne; The only limitation with using a static inner class is that as a static member of the enclosing class the inner class does not have a reference to instances of the enclosing class. For many situations this may not be ideal. An alternative is to use a local inner class or an anonymous inner class as shown in the next examples. Example 3 In the following example the BankAccount class contains the private member inner class InterestAdder that adds interest to the bank account balance. The start method of the BankAccount class creates an object of the inner class InterestAdder, the InterestAdder inner class implements the ActionListener interface with the method actionPerformed. A Timer object created within the start method of the BankAccount class invokes the actionPerformed method of the InterestAdder class every 30 days to add the interest to the bank account balance based on the interest rate passed to the start method as an input parameter. The inner class InterestAdder needs access to the private member variable balance of the BankAccount class in order to add the interest to the bank account balance. However as demonstrated in the previous example, because InterestAdder is a non-static member inner class of the BankAccount class, InterestAdder also has access to the private member variables of the BankAccount class - including the sensitive data contained in the private member variables for the bank account owner's name, Social Security number, and the bank account number. (bad code)
Example Language: Java
public class BankAccount {
// private member variables of BankAccount class private String accountOwnerName; private String accountOwnerSSN; private int accountNumber; private double balance; // constructor for BankAccount class public BankAccount(String accountOwnerName, String accountOwnerSSN, int accountNumber, double initialBalance, int initialRate) { this.accountOwnerName = accountOwnerName; }this.accountOwnerSSN = accountOwnerSSN; this.accountNumber = accountNumber; this.balance = initialBalance; this.start(initialRate); // start method will add interest to balance every 30 days // creates timer object and interest adding action listener object public void start(double rate) { ActionListener adder = new InterestAdder(rate); }Timer t = new Timer(1000 * 3600 * 24 * 30, adder); t.start(); // InterestAdder is an inner class of BankAccount class // that implements the ActionListener interface private class InterestAdder implements ActionListener { private double rate;
public InterestAdder(double aRate) { this.rate = aRate; }public void actionPerformed(ActionEvent event) {
// update interest
double interest = BankAccount.this.balance * rate / 100; BankAccount.this.balance += interest; In the following example the InterestAdder class from the above example is declared locally within the start method of the BankAccount class. As a local inner class InterestAdder has its scope restricted to the method (or enclosing block) where it is declared, in this case only the start method has access to the inner class InterestAdder, no other classes including the enclosing class has knowledge of the inner class outside of the start method. This allows the inner class to access private member variables of the enclosing class but only within the scope of the enclosing method or block. (good code)
Example Language: Java
public class BankAccount {
// private member variables of BankAccount class private String accountOwnerName; private String accountOwnerSSN; private int accountNumber; private double balance; // constructor for BankAccount class public BankAccount(String accountOwnerName, String accountOwnerSSN, int accountNumber, double initialBalance, int initialRate) { this.accountOwnerName = accountOwnerName; }this.accountOwnerSSN = accountOwnerSSN; this.accountNumber = accountNumber; this.balance = initialBalance; this.start(initialRate); // start method will add interest to balance every 30 days // creates timer object and interest adding action listener object public void start(final double rate) { // InterestAdder is a local inner class // that implements the ActionListener interface class InterestAdder implements ActionListener { public void actionPerformed(ActionEvent event)
{
// update interest
double interest = BankAccount.this.balance * rate / 100; BankAccount.this.balance += interest; ActionListener adder = new InterestAdder(); Timer t = new Timer(1000 * 3600 * 24 * 30, adder); t.start(); A similar approach would be to use an anonymous inner class as demonstrated in the next example. An anonymous inner class is declared without a name and creates only a single instance of the inner class object. As in the previous example the anonymous inner class has its scope restricted to the start method of the BankAccount class. (good code)
Example Language: Java
public class BankAccount {
// private member variables of BankAccount class private String accountOwnerName; private String accountOwnerSSN; private int accountNumber; private double balance; // constructor for BankAccount class public BankAccount(String accountOwnerName, String accountOwnerSSN, int accountNumber, double initialBalance, int initialRate) { this.accountOwnerName = accountOwnerName; }this.accountOwnerSSN = accountOwnerSSN; this.accountNumber = accountNumber; this.balance = initialBalance; this.start(initialRate); // start method will add interest to balance every 30 days // creates timer object and interest adding action listener object public void start(final double rate) { // anonymous inner class that implements the ActionListener interface ActionListener adder = new ActionListener() { public void actionPerformed(ActionEvent event)
{ double interest = BankAccount.this.balance * rate / 100; BankAccount.this.balance += interest; Timer t = new Timer(1000 * 3600 * 24 * 30, adder); t.start(); Example 4 In the following Java example a simple applet provides the capability for a user to input a URL into a text field and have the URL opened in a new browser window. The applet contains an inner class that is an action listener for the submit button, when the user clicks the submit button the inner class action listener's actionPerformed method will open the URL entered into the text field in a new browser window. As with the previous examples using inner classes in this manner creates a security risk by exposing private variables and methods. Inner classes create an additional security risk with applets as applets are executed on a remote machine through a web browser within the same JVM and therefore may run side-by-side with other potentially malicious code. (bad code)
public class UrlToolApplet extends Applet {
// private member variables for applet components private Label enterUrlLabel; private TextField enterUrlTextField; private Button submitButton; // init method that adds components to applet // and creates button listener object public void init() { setLayout(new FlowLayout()); }enterUrlLabel = new Label("Enter URL: "); enterUrlTextField = new TextField("", 20); submitButton = new Button("Submit"); add(enterUrlLabel); add(enterUrlTextField); add(submitButton); ActionListener submitButtonListener = new SubmitButtonListener(); submitButton.addActionListener(submitButtonListener); // button listener inner class for UrlToolApplet class private class SubmitButtonListener implements ActionListener { public void actionPerformed(ActionEvent evt) {
if (evt.getSource() == submitButton) {
String urlString = enterUrlTextField.getText(); }URL url = null; try { url = new URL(urlString); } catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString); }if (url != null) { getAppletContext().showDocument(url); }As with the previous examples a solution to this problem would be to use a static inner class, a local inner class or an anonymous inner class. An alternative solution would be to have the applet implement the action listener rather than using it as an inner class as shown in the following example. (good code)
Example Language: Java
public class UrlToolApplet extends Applet implements ActionListener {
// private member variables for applet components private Label enterUrlLabel; private TextField enterUrlTextField; private Button submitButton; // init method that adds components to applet public void init() { setLayout(new FlowLayout()); }enterUrlLabel = new Label("Enter URL: "); enterUrlTextField = new TextField("", 20); submitButton = new Button("Submit"); add(enterUrlLabel); add(enterUrlTextField); add(submitButton); submitButton.addActionListener(this); // implementation of actionPerformed method of ActionListener interface public void actionPerformed(ActionEvent evt) { if (evt.getSource() == submitButton) {
String urlString = enterUrlTextField.getText(); }URL url = null; try { url = new URL(urlString); } catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString); }if (url != null) { getAppletContext().showDocument(url); }
This MemberOf Relationships table shows additional CWE Categories and Views that
reference this weakness as a member. This information is often useful in understanding where a
weakness fits within the context of external information sources.
Other
Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.
More information is available — Please edit the custom filter or select a different filter. |
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. |