This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
CRV2 RevCodePersistentAntiPatternJava
Java Persistence anti-patterns
Spring –Hibernate Anti-patterns
Some of the following anti-patterns are an important concerns on the security area for Java applications. A related problem with these anti-patterns is data integrity.
Lazy loading
This feature reduces the handling of data in an asynchronous way, which avoids unnecessary requests to the database, however it can causes problems with persistence. Errors associated with Lazy loading are:
org.hibernate.StaleObjectStateException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
N+1 Select issue
This problem occurs when the collection is returned from the database, containing n+1 separate queries instead of a single join query. This issue is quite challenging to solve because it depends on the specific implementation of the code, therefore look for the following executions:
- Control that mapping configurations are updated for affected domain classes
- Add the @ManyToMany @Fetch(FetchMode.JOIN) as a query strategy to override the Lazy behavior if necessary
- Review Tuning fetching strategies from Hibernate reference (http://docs.jboss.org/hibernate/core/3.3/reference/en/html/performance.html#performance-fetching-custom)
Hibertane issues with DAO (Data Access Objects): Sessions per Operation anti-pattern
Control proper implementation of persistence context. Problem occurs when DAO use different persistence context for each one, in other words, a different Session or EntityManager.
Long Term Persistence Security Issues
Long-term persistence is a model that enables beans to be saved in XML format.(Java Tutorial, 2013). For this purpose, a programmer can use XMLEncoder class to pass through output files for textual representation of Serializable objects.In the example provided in the Java Tutorial, the programmer can invoke and create an instance of javax.swing.JButton such as this
<object class="javax.swing.JButton">
<void method="setText">
<string>Cancel</string>
</void>
</object>
The vulnerability occurs when instead of passing acquitted XML code, the attacker sends dangerous Payloads. This vulnerability was shown by Dinis Cruz, Alvaro Muñoz and Abraham Kang in DefCon Conference 2013 “Resting on Your Laurels will get you Pwned: Effectively Code Reviewing REST Applications to avoid getting powned”
As explained by Dinis Cruz (2013) in his blog "there are two key scenarios where this ‘feature’ becomes a spectacular vulnerability:
- Server-side backend system that process attacker-controlled XML files using XMLDecoder
- REST APIs that uses XMLDecoder to create strongly type objects from the HTTP Request data
And the 2nd case is exactly what happens with Restlet REST API , which wraps XMLDecode in its org.restlet.representation.ObjectRepresentation<T> feature/class."(Cruz, 2013)
References
Oracle, 2013 "Java Tutorials" available at http://docs.oracle.com/javase/tutorial/javabeans/advanced/longpersistence.html Accessed on 3rd October 2013
Dinis Cruz, 2013 "Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)" available at http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html Accessed on 3rd October 2013
