Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Code Correctness: clone() Invokes Overridable Function

Java/JSP

Abstract

The clone() method within the class calls a function that can be overridden.

Explanation

When a clone() function calls an overridable function, it may cause the clone to be left in a partially initialized state, or become corrupted.

Example 1: The following clone() function calls a method that can be overridden.


  ...
  class User implements Cloneable {
    private String username;
    private boolean valid;
    public Object clone() throws CloneNotSupportedException {
      final User clone = (User) super.clone();
      clone.doSomething();
      return clone;
    }
    public void doSomething(){
      ...
    }
  }

Since the function doSomething() and its enclosing class are not final, it means that the function can be overridden, which may leave the cloned object clone in a partially initialized state, which may lead to errors, if not working around logic in an unexpected way.

References

[1] MET06-J. Do not invoke overridable methods in clone() CERT

[2] EXTEND-5: Limit the extensibility of classes and methods Oracle

desc.structural.java.code_correctness_clone_invokes_overridable_function