Use of Inner Class Containing Sensitive Data

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.


Description

Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in its enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The following Java Applet code mistakenly makes use of an inner class.

public final class urlTool extends Applet {
  private final class urlHelper {
    ...
  }
  ...
}

Example Two

The following example shows a basic use of inner classes. The class OuterClass contains the private member inner class InnerClass. The private inner class InnerClass includes the method concat that accesses the private member variables of the class OuterClass to output the value of one of the private member variables of the class OuterClass and returns a string that is a concatenation of one of the private member variables of the class OuterClass, the separator input parameter of the method and the private member variable of the class InnerClass.

public class OuterClass {
  // private member variables of OuterClass
  private String memberOne;
  private String memberTwo;

  // constructor of OuterClass
  public OuterClass(String varOne, String varTwo) {
    this.memberOne = varOne;
    this.memberTwo = varTwo;
  }

  // InnerClass is a member inner class of OuterClass
  private class InnerClass {
    private String innerMemberOne;

    public InnerClass(String innerVarOne) {
      this.innerMemberOne = innerVarOne;
    }

    public String concat(String separator) {
      // InnerClass has access to private member variables of OuterClass
      System.out.println("Value of memberOne is: " + memberOne);
      return OuterClass.this.memberTwo + separator + this.innerMemberOne;
    }
  }
}

Although this is an acceptable use of inner classes it demonstrates one of the weaknesses of inner classes that inner classes have complete access to all member variables and methods of the enclosing class even those that are declared private and protected. When inner classes are compiled and translated into Java bytecode the JVM treats the inner class as a peer class with package level access to the enclosing class.

To avoid this weakness of inner classes, consider using either static inner classes, local inner classes, or anonymous inner classes.

The following Java example demonstrates the use of static inner classes using the previous example. The inner class InnerClass is declared using the static modifier that signifies that InnerClass is a static member of the enclosing class OuterClass. By declaring an inner class as a static member of the enclosing class, the inner class can only access other static members and methods of the enclosing class and prevents the inner class from accessing nonstatic member variables and methods of the enclosing class. In this case the inner class InnerClass can only access the static member variable memberTwo of the enclosing class OuterClass but cannot access the nonstatic member variable memberOne.

public class OuterClass {



  // private member variables of OuterClass
  private String memberOne;
  private static String memberTwo;

  // constructor of OuterClass
  public OuterClass(String varOne, String varTwo) {

    this.memberOne = varOne;
    this.memberTwo = varTwo;
  }

  // InnerClass is a static inner class of OuterClass
  private static class InnerClass {


    private String innerMemberOne;

    public InnerClass(String innerVarOne) {
      this.innerMemberOne = innerVarOne;
    }
    public String concat(String separator) {


      // InnerClass only has access to static member variables of OuterClass
      return memberTwo + separator + this.innerMemberOne;

    }

  }

}

The only limitation with using a static inner class is that as a static member of the enclosing class the inner class does not have a reference to instances of the enclosing class. For many situations this may not be ideal. An alternative is to use a local inner class or an anonymous inner class as shown in the next examples.

Example Three

In the following example the BankAccount class contains the private member inner class InterestAdder that adds interest to the bank account balance. The start method of the BankAccount class creates an object of the inner class InterestAdder, the InterestAdder inner class implements the ActionListener interface with the method actionPerformed. A Timer object created within the start method of the BankAccount class invokes the actionPerformed method of the InterestAdder class every 30 days to add the interest to the bank account balance based on the interest rate passed to the start method as an input parameter. The inner class InterestAdder needs access to the private member variable balance of the BankAccount class in order to add the interest to the bank account balance.

However as demonstrated in the previous example, because InterestAdder is a non-static member inner class of the BankAccount class, InterestAdder also has access to the private member variables of the BankAccount class - including the sensitive data contained in the private member variables for the bank account owner's name, Social Security number, and the bank account number.

public class BankAccount {


  // private member variables of BankAccount class
  private String accountOwnerName;
  private String accountOwnerSSN;
  private int accountNumber;
  private double balance;

  // constructor for BankAccount class
  public BankAccount(String accountOwnerName, String accountOwnerSSN,
  int accountNumber, double initialBalance, int initialRate)
  {
    this.accountOwnerName = accountOwnerName;
    this.accountOwnerSSN = accountOwnerSSN;
    this.accountNumber = accountNumber;
    this.balance = initialBalance;
    this.start(initialRate);
  }

  // start method will add interest to balance every 30 days

  // creates timer object and interest adding action listener object
  public void start(double rate)
  {
    ActionListener adder = new InterestAdder(rate);
    Timer t = new Timer(1000 * 3600 * 24 * 30, adder);
    t.start();
  }

  // InterestAdder is an inner class of BankAccount class

  // that implements the ActionListener interface
  private class InterestAdder implements ActionListener
  {

    private double rate;

    public InterestAdder(double aRate)
    {
      this.rate = aRate;
    }

    public void actionPerformed(ActionEvent event)
    {


      // update interest
      double interest = BankAccount.this.balance * rate / 100;
      BankAccount.this.balance += interest;

    }


  }

}

In the following example the InterestAdder class from the above example is declared locally within the start method of the BankAccount class. As a local inner class InterestAdder has its scope restricted to the method (or enclosing block) where it is declared, in this case only the start method has access to the inner class InterestAdder, no other classes including the enclosing class has knowledge of the inner class outside of the start method. This allows the inner class to access private member variables of the enclosing class but only within the scope of the enclosing method or block.

public class BankAccount {


  // private member variables of BankAccount class
  private String accountOwnerName;
  private String accountOwnerSSN;
  private int accountNumber;
  private double balance;

  // constructor for BankAccount class
  public BankAccount(String accountOwnerName, String accountOwnerSSN,
  int accountNumber, double initialBalance, int initialRate)
  {
    this.accountOwnerName = accountOwnerName;
    this.accountOwnerSSN = accountOwnerSSN;
    this.accountNumber = accountNumber;
    this.balance = initialBalance;
    this.start(initialRate);
  }

  // start method will add interest to balance every 30 days

  // creates timer object and interest adding action listener object
  public void start(final double rate)
  {


    // InterestAdder is a local inner class

    // that implements the ActionListener interface
    class InterestAdder implements ActionListener
    {

      public void actionPerformed(ActionEvent event)
      {


        // update interest
        double interest = BankAccount.this.balance * rate / 100;
        BankAccount.this.balance += interest;

      }

    }
    ActionListener adder = new InterestAdder();
    Timer t = new Timer(1000 * 3600 * 24 * 30, adder);
    t.start();

  }

}

A similar approach would be to use an anonymous inner class as demonstrated in the next example. An anonymous inner class is declared without a name and creates only a single instance of the inner class object. As in the previous example the anonymous inner class has its scope restricted to the start method of the BankAccount class.

public class BankAccount {


  // private member variables of BankAccount class
  private String accountOwnerName;
  private String accountOwnerSSN;
  private int accountNumber;
  private double balance;

  // constructor for BankAccount class
  public BankAccount(String accountOwnerName, String accountOwnerSSN,
  int accountNumber, double initialBalance, int initialRate)
  {
    this.accountOwnerName = accountOwnerName;
    this.accountOwnerSSN = accountOwnerSSN;
    this.accountNumber = accountNumber;
    this.balance = initialBalance;
    this.start(initialRate);
  }

  // start method will add interest to balance every 30 days

  // creates timer object and interest adding action listener object
  public void start(final double rate)
  {


    // anonymous inner class that implements the ActionListener interface
    ActionListener adder = new ActionListener()
    {

      public void actionPerformed(ActionEvent event)
      {


        // update interest

        double interest = BankAccount.this.balance * rate / 100;
        BankAccount.this.balance += interest;

      }

    };

    Timer t = new Timer(1000 * 3600 * 24 * 30, adder);
    t.start();

  }

}

Example Four

In the following Java example a simple applet provides the capability for a user to input a URL into a text field and have the URL opened in a new browser window. The applet contains an inner class that is an action listener for the submit button, when the user clicks the submit button the inner class action listener's actionPerformed method will open the URL entered into the text field in a new browser window. As with the previous examples using inner classes in this manner creates a security risk by exposing private variables and methods. Inner classes create an additional security risk with applets as applets are executed on a remote machine through a web browser within the same JVM and therefore may run side-by-side with other potentially malicious code.

public class UrlToolApplet extends Applet {


  // private member variables for applet components
  private Label enterUrlLabel;
  private TextField enterUrlTextField;
  private Button submitButton;

  // init method that adds components to applet

  // and creates button listener object
  public void init() {
    setLayout(new FlowLayout());
    enterUrlLabel = new Label("Enter URL: ");
    enterUrlTextField = new TextField("", 20);
    submitButton = new Button("Submit");
    add(enterUrlLabel);
    add(enterUrlTextField);
    add(submitButton);
    ActionListener submitButtonListener = new SubmitButtonListener();
    submitButton.addActionListener(submitButtonListener);
  }

  // button listener inner class for UrlToolApplet class
  private class SubmitButtonListener implements ActionListener {

    public void actionPerformed(ActionEvent evt) {

      if (evt.getSource() == submitButton) {
        String urlString = enterUrlTextField.getText();
        URL url = null;
        try {
          url = new URL(urlString);
        } catch (MalformedURLException e) {
          System.err.println("Malformed URL: " + urlString);
        }
        if (url != null) {
          getAppletContext().showDocument(url);
        }
      }

    }

  }

}

As with the previous examples a solution to this problem would be to use a static inner class, a local inner class or an anonymous inner class. An alternative solution would be to have the applet implement the action listener rather than using it as an inner class as shown in the following example.

public class UrlToolApplet extends Applet implements ActionListener {


  // private member variables for applet components
  private Label enterUrlLabel;
  private TextField enterUrlTextField;
  private Button submitButton;

  // init method that adds components to applet
  public void init() {
    setLayout(new FlowLayout());
    enterUrlLabel = new Label("Enter URL: ");
    enterUrlTextField = new TextField("", 20);
    submitButton = new Button("Submit");
    add(enterUrlLabel);
    add(enterUrlTextField);
    add(submitButton);
    submitButton.addActionListener(this);
  }

  // implementation of actionPerformed method of ActionListener interface
  public void actionPerformed(ActionEvent evt) {

    if (evt.getSource() == submitButton) {
      String urlString = enterUrlTextField.getText();
      URL url = null;
      try {
        url = new URL(urlString);
      } catch (MalformedURLException e) {
        System.err.println("Malformed URL: " + urlString);
      }
      if (url != null) {
        getAppletContext().showDocument(url);
      }
    }

  }

}

See Also

SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)

Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.

SFP Secondary Cluster: Other Exposures

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

7PK - Encapsulation

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not su...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.