Description
Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
Inner classes quietly introduce several security concerns because of the way they are translated into Java bytecode. In Java source code, it appears that an inner class can be declared to be accessible only by the enclosing class, but Java bytecode has no concept of an inner class, so the compiler must transform an inner class declaration into a peer class with package level access to the original outer class. More insidiously, since an inner class can access private fields in its enclosing class, once an inner class becomes a peer class in bytecode, the compiler converts private fields accessed by the inner class into protected fields.
Potential Impact
Confidentiality
Read Application Data
Demonstrative Examples
The following Java Applet code mistakenly makes use of an inner class.
Bad
public final class urlTool extends Applet {private final class urlHelper {...}...}The following example shows a basic use of inner classes. The class OuterClass contains the private member inner class InnerClass. The private inner class InnerClass includes the method concat that accesses the private member variables of the class OuterClass to output the value of one of the private member variables of the class OuterClass and returns a string that is a concatenation of one of the private member variables of the class OuterClass, the separator input parameter of the method and the private member variable of the class InnerClass.
Bad
public class OuterClass {
// private member variables of OuterClass
private String memberOne;private String memberTwo;
// constructor of OuterClass
public OuterClass(String varOne, String varTwo) {this.memberOne = varOne;this.memberTwo = varTwo;}
// InnerClass is a member inner class of OuterClass
private class InnerClass {private String innerMemberOne;
public InnerClass(String innerVarOne) {this.innerMemberOne = innerVarOne;}
public String concat(String separator) {
// InnerClass has access to private member variables of OuterClass
System.out.println("Value of memberOne is: " + memberOne);return OuterClass.this.memberTwo + separator + this.innerMemberOne;}}}Although this is an acceptable use of inner classes it demonstrates one of the weaknesses of inner classes that inner classes have complete access to all member variables and methods of the enclosing class even those that are declared private and protected. When inner classes are compiled and translated into Java bytecode the JVM treats the inner class as a peer class with package level access to the enclosing class.
To avoid this weakness of inner classes, consider using either static inner classes, local inner classes, or anonymous inner classes.
The following Java example demonstrates the use of static inner classes using the previous example. The inner class InnerClass is declared using the static modifier that signifies that InnerClass is a static member of the enclosing class OuterClass. By declaring an inner class as a static member of the enclosing class, the inner class can only access other static members and methods of the enclosing class and prevents the inner class from accessing nonstatic member variables and methods of the enclosing class. In this case the inner class InnerClass can only access the static member variable memberTwo of the enclosing class OuterClass but cannot access the nonstatic member variable memberOne.
Good
public class OuterClass {
// private member variables of OuterClass
private String memberOne;private static String memberTwo;
// constructor of OuterClass
public OuterClass(String varOne, String varTwo) {
this.memberOne = varOne;this.memberTwo = varTwo;}
// InnerClass is a static inner class of OuterClass
private static class InnerClass {
private String innerMemberOne;
public InnerClass(String innerVarOne) {this.innerMemberOne = innerVarOne;}public String concat(String separator) {
// InnerClass only has access to static member variables of OuterClass
return memberTwo + separator + this.innerMemberOne;
}
}
}The only limitation with using a static inner class is that as a static member of the enclosing class the inner class does not have a reference to instances of the enclosing class. For many situations this may not be ideal. An alternative is to use a local inner class or an anonymous inner class as shown in the next examples.
In the following example the BankAccount class contains the private member inner class InterestAdder that adds interest to the bank account balance. The start method of the BankAccount class creates an object of the inner class InterestAdder, the InterestAdder inner class implements the ActionListener interface with the method actionPerformed. A Timer object created within the start method of the BankAccount class invokes the actionPerformed method of the InterestAdder class every 30 days to add the interest to the bank account balance based on the interest rate passed to the start method as an input parameter. The inner class InterestAdder needs access to the private member variable balance of the BankAccount class in order to add the interest to the bank account balance.
However as demonstrated in the previous example, because InterestAdder is a non-static member inner class of the BankAccount class, InterestAdder also has access to the private member variables of the BankAccount class - including the sensitive data contained in the private member variables for the bank account owner's name, Social Security number, and the bank account number.
Bad
public class BankAccount {
// private member variables of BankAccount class
private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance;
// constructor for BankAccount class
public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);}
// start method will add interest to balance every 30 days
// creates timer object and interest adding action listener object
public void start(double rate){ActionListener adder = new InterestAdder(rate);Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start();}
// InterestAdder is an inner class of BankAccount class
// that implements the ActionListener interface
private class InterestAdder implements ActionListener{
private double rate;
public InterestAdder(double aRate){this.rate = aRate;}
public void actionPerformed(ActionEvent event){
// update interest
double interest = BankAccount.this.balance * rate / 100;BankAccount.this.balance += interest;
}
}
}In the following example the InterestAdder class from the above example is declared locally within the start method of the BankAccount class. As a local inner class InterestAdder has its scope restricted to the method (or enclosing block) where it is declared, in this case only the start method has access to the inner class InterestAdder, no other classes including the enclosing class has knowledge of the inner class outside of the start method. This allows the inner class to access private member variables of the enclosing class but only within the scope of the enclosing method or block.
Good
public class BankAccount {
// private member variables of BankAccount class
private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance;
// constructor for BankAccount class
public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);}
// start method will add interest to balance every 30 days
// creates timer object and interest adding action listener object
public void start(final double rate){
// InterestAdder is a local inner class
// that implements the ActionListener interface
class InterestAdder implements ActionListener{
public void actionPerformed(ActionEvent event){
// update interest
double interest = BankAccount.this.balance * rate / 100;BankAccount.this.balance += interest;
}
}ActionListener adder = new InterestAdder();Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start();
}
}A similar approach would be to use an anonymous inner class as demonstrated in the next example. An anonymous inner class is declared without a name and creates only a single instance of the inner class object. As in the previous example the anonymous inner class has its scope restricted to the start method of the BankAccount class.
Good
public class BankAccount {
// private member variables of BankAccount class
private String accountOwnerName;private String accountOwnerSSN;private int accountNumber;private double balance;
// constructor for BankAccount class
public BankAccount(String accountOwnerName, String accountOwnerSSN,int accountNumber, double initialBalance, int initialRate){this.accountOwnerName = accountOwnerName;this.accountOwnerSSN = accountOwnerSSN;this.accountNumber = accountNumber;this.balance = initialBalance;this.start(initialRate);}
// start method will add interest to balance every 30 days
// creates timer object and interest adding action listener object
public void start(final double rate){
// anonymous inner class that implements the ActionListener interface
ActionListener adder = new ActionListener(){
public void actionPerformed(ActionEvent event){
double interest = BankAccount.this.balance * rate / 100;
BankAccount.this.balance += interest;
}
};
Timer t = new Timer(1000 * 3600 * 24 * 30, adder);t.start();
}
}In the following Java example a simple applet provides the capability for a user to input a URL into a text field and have the URL opened in a new browser window. The applet contains an inner class that is an action listener for the submit button, when the user clicks the submit button the inner class action listener's actionPerformed method will open the URL entered into the text field in a new browser window. As with the previous examples using inner classes in this manner creates a security risk by exposing private variables and methods. Inner classes create an additional security risk with applets as applets are executed on a remote machine through a web browser within the same JVM and therefore may run side-by-side with other potentially malicious code.
Bad
public class UrlToolApplet extends Applet {
// private member variables for applet components
private Label enterUrlLabel;private TextField enterUrlTextField;private Button submitButton;
// init method that adds components to applet
// and creates button listener object
public void init() {setLayout(new FlowLayout());enterUrlLabel = new Label("Enter URL: ");enterUrlTextField = new TextField("", 20);submitButton = new Button("Submit");add(enterUrlLabel);add(enterUrlTextField);add(submitButton);ActionListener submitButtonListener = new SubmitButtonListener();submitButton.addActionListener(submitButtonListener);}
// button listener inner class for UrlToolApplet class
private class SubmitButtonListener implements ActionListener {
public void actionPerformed(ActionEvent evt) {
if (evt.getSource() == submitButton) {String urlString = enterUrlTextField.getText();URL url = null;try {url = new URL(urlString);} catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString);}if (url != null) {getAppletContext().showDocument(url);}}
}
}
}As with the previous examples a solution to this problem would be to use a static inner class, a local inner class or an anonymous inner class. An alternative solution would be to have the applet implement the action listener rather than using it as an inner class as shown in the following example.
Good
public class UrlToolApplet extends Applet implements ActionListener {
// private member variables for applet components
private Label enterUrlLabel;private TextField enterUrlTextField;private Button submitButton;
// init method that adds components to applet
public void init() {setLayout(new FlowLayout());enterUrlLabel = new Label("Enter URL: ");enterUrlTextField = new TextField("", 20);submitButton = new Button("Submit");add(enterUrlLabel);add(enterUrlTextField);add(submitButton);submitButton.addActionListener(this);}
// implementation of actionPerformed method of ActionListener interface
public void actionPerformed(ActionEvent evt) {
if (evt.getSource() == submitButton) {String urlString = enterUrlTextField.getText();URL url = null;try {url = new URL(urlString);} catch (MalformedURLException e) {System.err.println("Malformed URL: " + urlString);}if (url != null) {getAppletContext().showDocument(url);}}
}
}Mitigations & Prevention
Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.
Inner Classes do not provide security. Warning: Never reduce the security of the object from an outer class, going to an inner class. If an outer class is final or private, ensure that its inner class is private as well.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- 7 Pernicious Kingdoms: — Mobile Code: Use of Inner Class
- CLASP: — Publicizing of private data when using inner classes
- The CERT Oracle Secure Coding Standard for Java (2011): OBJ08-J — Do not expose private members of an outer class from within a nested class
Frequently Asked Questions
What is CWE-492?
CWE-492 (Use of Inner Class Containing Sensitive Data) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
How can CWE-492 be exploited?
Attackers can exploit CWE-492 (Use of Inner Class Containing Sensitive Data) to read application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-492?
Key mitigations include: Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.
What is the severity of CWE-492?
CWE-492 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.