CWE-491: Public cloneable() Method Without Final ('Object Hijack')

What is Public cloneable() Method Without Final ('Object Hijack')?

• Overview: A vulnerability where a class has a cloneable() method that is not declared as final, allowing objects to be cloned without going through the intended constructor, potentially leading to objects being in an unintended or insecure state.

• Exploitation Methods:

• Attackers can exploit this by cloning objects in a way that bypasses validation or initialization logic present in constructors.
• Common attack patterns include creating object duplicates with altered state or bypassing access control checks that are enforced during object creation.

• Security Impact:

• Direct consequences include objects being in an inconsistent or insecure state.
• Potential cascading effects involve security mechanisms being bypassed, leading to unauthorized access or data corruption.
• Business impact can include data breaches, loss of system integrity, and reputational damage.

• Prevention Guidelines:

• Declare the cloneable() method as final to prevent subclass overriding.
• Ensure that clone() methods perform necessary validation and initialization.
• Use alternative patterns such as copy constructors or factory methods to control object creation.
• Utilize recommended tools and frameworks that enforce or assist in following best practices for object cloning and initialization.

Corgea can automatically detect and fix Public cloneable() Method Without Final ('Object Hijack') in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Java

Affected Technologies: Not specified

Vulnerable Code Example

// User.java {7-9}
public class User implements Cloneable {
    private String name;
    private int age;

    // Vulnerable clone method
    public Object clone() throws CloneNotSupportedException {
        return super.clone(); // Object can be cloned without calling constructor
    }

    // Constructor
    public User(String name, int age) {
        this.name = name;
        this.age = age;
    }
}

Explanation:

• In this code, the clone() method is public and not declared final, which means it can be overridden in subclasses. This allows the creation of object instances without invoking their constructors, potentially leading to objects in an inconsistent state. For example, a subclass could override the clone() method to modify the cloning behavior, leading to security vulnerabilities or logical errors.

How to fix Public cloneable() Method Without Final ('Object Hijack')?

To fix this issue, the clone() method should be declared as final. This prevents subclasses from overriding it, ensuring that the cloning behavior cannot be altered and objects cannot be created without calling their constructors. Additionally, the class itself can be declared as final if you want to prevent inheritance altogether, which is a more robust solution to prevent object hijacking through cloning.

Fixed Code Example

// User.java {7-11}
public final class User implements Cloneable { // Declare class final to prevent subclassing
    private String name;
    private int age;

    // Fixed clone method
    public final Object clone() throws CloneNotSupportedException { // Declare method final
        return super.clone(); // Object cloning is now safer
    }

    // Constructor
    public User(String name, int age) {
        this.name = name;
        this.age = age;
    }
}

Explanation:

• The User class is declared as final, which prevents any subclassing, thus eliminating any possibility of overriding the clone() method.
• The clone() method itself is also declared as final, ensuring no subclass (if allowed) could override it, thus maintaining control over how objects are cloned and preventing creation without constructors.
• By using final on both the class and method, we ensure that the integrity of the object is maintained and that the cloning process cannot be tampered with, effectively mitigating the risk of object hijacking.