Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in its enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.
Threat Mapped score: 1.8
Industry: Finiancial
Threat priority: P4 - Informational (Low)
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | N/A |
Intro: The following Java Applet code mistakenly makes use of an inner class.
public final class urlTool extends Applet { private final class urlHelper { ... } ... }Intro: The following example shows a basic use of inner classes. The class OuterClass contains the private member inner class InnerClass. The private inner class InnerClass includes the method concat that accesses the private member variables of the class OuterClass to output the value of one of the private member variables of the class OuterClass and returns a string that is a concatenation of one of the private member variables of the class OuterClass, the separator input parameter of the method and the private member variable of the class InnerClass.
Body: Although this is an acceptable use of inner classes it demonstrates one of the weaknesses of inner classes that inner classes have complete access to all member variables and methods of the enclosing class even those that are declared private and protected. When inner classes are compiled and translated into Java bytecode the JVM treats the inner class as a peer class with package level access to the enclosing class.
public class OuterClass { // private member variables of OuterClass private String memberOne; private String memberTwo; // constructor of OuterClass public OuterClass(String varOne, String varTwo) { this.memberOne = varOne; this.memberTwo = varTwo; } // InnerClass is a member inner class of OuterClass private class InnerClass { private String innerMemberOne; public InnerClass(String innerVarOne) { this.innerMemberOne = innerVarOne; } public String concat(String separator) { // InnerClass has access to private member variables of OuterClass System.out.println("Value of memberOne is: " + memberOne); return OuterClass.this.memberTwo + separator + this.innerMemberOne; } } }Intro: In the following example the BankAccount class contains the private member inner class InterestAdder that adds interest to the bank account balance. The start method of the BankAccount class creates an object of the inner class InterestAdder, the InterestAdder inner class implements the ActionListener interface with the method actionPerformed. A Timer object created within the start method of the BankAccount class invokes the actionPerformed method of the InterestAdder class every 30 days to add the interest to the bank account balance based on the interest rate passed to the start method as an input parameter. The inner class InterestAdder needs access to the private member variable balance of the BankAccount class in order to add the interest to the bank account balance.
Body: However as demonstrated in the previous example, because InterestAdder is a non-static member inner class of the BankAccount class, InterestAdder also has access to the private member variables of the BankAccount class - including the sensitive data contained in the private member variables for the bank account owner's name, Social Security number, and the bank account number.
public class BankAccount { // private member variables of BankAccount class private String accountOwnerName; private String accountOwnerSSN; private int accountNumber; private double balance; // constructor for BankAccount class public BankAccount(String accountOwnerName, String accountOwnerSSN, int accountNumber, double initialBalance, int initialRate) { this.accountOwnerName = accountOwnerName; this.accountOwnerSSN = accountOwnerSSN; this.accountNumber = accountNumber; this.balance = initialBalance; this.start(initialRate); } // start method will add interest to balance every 30 days // creates timer object and interest adding action listener object public void start(double rate) { ActionListener adder = new InterestAdder(rate); Timer t = new Timer(1000 * 3600 * 24 * 30, adder); t.start(); } // InterestAdder is an inner class of BankAccount class // that implements the ActionListener interface private class InterestAdder implements ActionListener { private double rate; public InterestAdder(double aRate) { this.rate = aRate; } public void actionPerformed(ActionEvent event) { // update interest double interest = BankAccount.this.balance * rate / 100; BankAccount.this.balance += interest; } } }Intro: In the following Java example a simple applet provides the capability for a user to input a URL into a text field and have the URL opened in a new browser window. The applet contains an inner class that is an action listener for the submit button, when the user clicks the submit button the inner class action listener's actionPerformed method will open the URL entered into the text field in a new browser window. As with the previous examples using inner classes in this manner creates a security risk by exposing private variables and methods. Inner classes create an additional security risk with applets as applets are executed on a remote machine through a web browser within the same JVM and therefore may run side-by-side with other potentially malicious code.
Body: As with the previous examples a solution to this problem would be to use a static inner class, a local inner class or an anonymous inner class. An alternative solution would be to have the applet implement the action listener rather than using it as an inner class as shown in the following example.
public class UrlToolApplet extends Applet { // private member variables for applet components private Label enterUrlLabel; private TextField enterUrlTextField; private Button submitButton; // init method that adds components to applet // and creates button listener object public void init() { setLayout(new FlowLayout()); enterUrlLabel = new Label("Enter URL: "); enterUrlTextField = new TextField("", 20); submitButton = new Button("Submit"); add(enterUrlLabel); add(enterUrlTextField); add(submitButton); ActionListener submitButtonListener = new SubmitButtonListener(); submitButton.addActionListener(submitButtonListener); } // button listener inner class for UrlToolApplet class private class SubmitButtonListener implements ActionListener { public void actionPerformed(ActionEvent evt) { if (evt.getSource() == submitButton) { String urlString = enterUrlTextField.getText(); URL url = null; try { url = new URL(urlString); } catch (MalformedURLException e) { System.err.println("Malformed URL: " + urlString); } if (url != null) { getAppletContext().showDocument(url); } } } } }