java 2 3
fdsa
fdsa
Fichier Détails
| Cartes-fiches | 496 |
|---|---|
| Langue | Deutsch |
| Catégorie | Informatique |
| Niveau | Autres |
| Crée / Actualisé | 06.12.2020 / 24.01.2021 |
| Lien de web |
https://card2brain.ch/box/20201206_java_2_3
|
| Intégrer |
<iframe src="https://card2brain.ch/box/20201206_java_2_3/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What is the "principle of least privilege"?
Limiting access as much as possible
What is the problem here? How to fix?
public class GrasshopperCage {
public static void openLock(ComboLocks comboLocks, String combo) {
if(comboLocks.isComboValid("grasshopper", combo)) System.out.println("open");
}
}
a attacker could override the method isComboValid and pass it to openLock. (fix it by with final class) f.e:
public boolean isComboValid(String animal, String combo) {
var valid = super.isComboValid(animal, combo);
if(valid) { // email the password to s.b.}
return valid;
}
Is this a immutable object?:
public final class Animal {
private final ArrayList<String> favoriteFoods;
public Animal() {
this.favoriteFoods = new ArrayList<String>();
this.favoriteFoods.add("Apples");
}
public List<String> getFavoriteFoods() {
return favoriteFoods;
}
}
No, the returned list can be modified. Better implement methods for getting properties, f.e.:
public String getFavoriteFoodsElement(int index) {
return favoriteFoods.get(index);
}
What is a copy constructor?
F.e.:
public Animal(List<String> favoriteFoods) {
if(favoriteFoods == null) throw new Runtimeexception("..");
this.favoriteFoods = new ArrayList<String>(favoriteFoods);
}
What is a defensive copy?
F.e. the copy operation
Does the clone() method copy shallow or deep?
shallow by default
What happens if clone is called on an object which doesnt implement cloneable?
Throw exception
What can be considered as untrusted data?
F.e. user inout, reading from files, retrieving data from databases. Any data that did not originate form your program
what is command injection? How to prevent?
F.e. typing ".." here (for going back one directory). Prevent this with whitelists
Console console = System.console();
String dirName = console.readLine();
Path path = Paths.get("c:/data/diets/" + dirName);
try(Stream<Path> stream = Files.walk(path)) {
stream.filter(p -> p.toString().endsWith(".txt")).forEach(System.out::println);
}
How to prevent comand injection with lists? which one to prefer?
Whitelists/blacklists: better whitelists
What are sensitive contexts which should be avoided to ensure confidental informations doenst escape?
* logfiles
* printing exceptions or stacktraces
* System.out and System.err messages
* writing to data files
Why should confidenial data be stored in char[] instead of string?
java wont place it in the stringpool and therefore it wount live long in the memory
How to prevent command injections?
Whitelists/blacklists/limiting file acces with permissions
What does defense in depth mean?
To apply multiple techniques to protect an application
How to specify which fields get serialized? (two ways)
transient or with an array:
private static final ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("name", String.class) };
What is the opposite of transient?
The array:
private static final ObjectStream[] serialPersistentFields = {new ObjectStreamField("name", String.class) };
What modifiers are required for serialPersistentFields?
private static final
How to ensure that fields are enrcrypted during serialization?
implementing writeObject(ObjectOutputStream s) and readObject(ObjectInputStream s) and doing the encrpytion here
What exceotion is thrown when a field is marked with transient/is not in serialPersistentFields?
IllegalArguemntException
What is readResolve for?
When we want to control f.e. if a new object is created during deserialization
When does readResolve run?
After the readObject - method
What is writeReplace for?
F.e. if we want to conrtrol which object is serialized instead of just serializing this
When is writeReplace running?
before writeObject
How to construct sensitive objects?
- Making class private
- making method private
- constructor private
What is a resource leak and how to prevent this?
When the resource is never closed -> close it
Why is reading of files w.o. cheging its size a problem?
The files could be very large -> check the size first to prevent memory issues
What is a inclusion attack?
F.e. billion laughs attack or zip bomb. A file which could expand more and more to become really big
What is the problem with ovwerflowing numbers? How to prevent?
Unpredictable outcomes -> input validation
What is "wasting data structures"?
F.e. the possibility to create a class with a hashCode which always return 42 and put it to a hashmap or the possibility to create very large datastructures
Does ArrayList have a copy method?
no
What does ArrayList.clone() return?
Object -> be aware to cast it
Where is the clone() Method declared?
In the objectclass
Whats the difference between a black and a whitelist?
Whitelist compares against allowed values (could also throw an exception if not valid)
What does readObject() return?
Object
What does readResolve() return?
Object
Where are the 5 key interfaces for JDBC declared?
In the JDK
Where do we get the concrete classes for JDBC interfaces from?
From the JDBC driver
Which interfaces are implemented within the driver JAR?
Driver, Connection, PreparedStatement, CallableStatement, ResultSet
Do we use the concrete JDBC classes in code?
No, only the interfaces
Whats neccessary in a jdbc url? Which colons?
prefix jdbc + subprotocol for the db + name/address of the database, separated by :
jdbc:postgresql://localhost/zoo
