...
To mitigate these risks, by default classes should be declared final unless there is a definite need for the class to be extensible. In that case, developers must carefully design the class with extensibility in mind. As a specific instance of this rulerecommendation, classes that are designed to be treated as immutable either must be declared final or must have all of their member methods and fields declared final or private.
...
| Code Block | ||
|---|---|---|
| ||
public class BigInteger {
public BigInteger(String str) {
this(str, check());
}
private BigInteger(String str, boolean dummy) {
// Regular construction goes here
}
private static boolean check() {
securityManagerCheck();
return true;
}
}
|
Risk Assessment
Permitting a nonfinal class or method to be inherited without checking the class instance allows a malicious subclass to misuse the privileges of the class.
...
Rule
...
Severity
...
Likelihood
...
Remediation Cost
...
Priority
...
Level
...
OBJ58-J
...
Medium
...
Likely
...
Medium
...
P12
...
Automated Detection
This rule is not checkable because it depends on factors that are unspecified in the code, including the invariants upon which the code relies and the necessity of designating a class as extensible, among others. However, simple statistical methods might be useful to find codebases that violate this rule by checking whether a given codebase contains a higher-than-average number of classes left nonfinal.
...