...
| Code Block | ||
|---|---|---|
| ||
private static final String[] items = {/* ... */};
public static final String[] getItems() {
return items.clone();
}
|
As a resultBecause a copy of the array is returned, the original array values cannot be modified by a client. Note that a manual deep copy could be required when dealing with arrays of objects. This generally happens when the objects do not export a clone() method. Refer to OBJ06-J. Defensively copy mutable inputs and mutable internal components for more information.
...
| Code Block | ||
|---|---|---|
| ||
private static final String[] items = { ... };
public static final List<String> itemsList =
Collections.unmodifiableList(Arrays.asList(items));
|
Neither the original array values nor the public list can be modified by a client. For more details about unmodifiable wrappers, refer to SEC57-J. Provide sensitive mutable classes with unmodifiable wrappers. This solution still applies if can also be used when the array contains mutable items instead of Stringobjects.
...
Analysis
Incorrectly assuming that final references cause the contents of the referenced object to remain mutable can result in an attacker modifying an object thought by the programmer to be immutable.
...
Guideline
...
Severity
...
Likelihood
...
...
Priority
...
Level
...
OBJ50-JG
...
low
...
probable
...
medium
...
P4
...
L3
Related Guidelines
CWE ID 607, "Public Static Final Field References Mutable Object" |
...
Item 13: Minimize the accessibility of classes and members | |
Chapter 6 | |
[JLS 2005] | |
| |
|
OBJ51-JG. Minimize the accessibility of classes and their members 04. Object Orientation (OBJ)