SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 18

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2
Warning
titleEliminated Guideline

This guideline has been labeled void and designated for future elimination from the Cert Oracle Secure Coding Standard for Java. This guideline has not been erased yet in case it contains information that might still be useful.

A non-empty array is always mutable, so a public static final array makes no sense; clients will be able Do not expose references to mutable objects to client code. Never initialize such a field to a client-provided object reference or return the object reference from an accessor. Exposing a public static final object allows clients to modify the contents of the array object (although they will not be able to change the array object itself, as it is final).

This rule does not address private mutable objects, see rule OBJ05-J. Do not return references to private mutable class members for more information.

Noncompliant Code Example

Suppose that SomeType is immutable.

Code Block
bgColor#FFCCCC

public static final SomeType [] SOMETHINGS = { ... };

Wiki Markup
With this declaration, {{SOMETHINGS\[1\]}}, etc. can be modified by clients of the code.

Compliant Solution

Even though SomeType is immutable, this declaration allows the SOMETHINGS array to be modified by untrusted clients of the code. Any element of the array can be assigned a new value, namely a reference to a new SomeType object.

This noncompliant code example also violates OBJ01-J. Limit accessibility of fields.

Noncompliant Code Example (getter method)

This noncompliant code example complies with OBJ01-J. Limit accessibility of fields by declaring the array private. But, in declaring the array private, this code example violates OBJ05-J. Do not return references to private mutable class members.

Suppose that SomeType is immutable.

Code Block
bgColor#FFCCCC
private static final SomeType [] SOMETHINGS = { ... };
public static final getSomethings() {return SOMETHINGS;}

Even though SomeType is immutable, the public getter method enables untrusted clients to modify the SOMETHINGS array. Any element of the array can be assigned a new value, namely a reference to a new SomeType object.

Compliant Solution (clone)

Continuing with the assumption that SomeType is immutable, one One approach is to have a private array and a public method that returns a copy of the array:

Code Block
bgColor#ccccff

private static final SomeType [] SOMETHINGS = { ... };
public static final SomeType [] somethings() {
  return SOMETHINGS.clone();
}

Now, the original array values cannot be modified by a clientany client.  If SomeType were mutable, this approach would not be effective because the array clone references the same SomeType objects as the SOMETHINGS array. If the client modified the clone SomeType objects directly, the SomeType objects referenced by the SOMETHINGS array would also change.

Compliant Solution

...

(Unmodifiable List)

Continuing with the assumption that SomeType is immutable, an An alternative approach is to have a private array from which a public immutable list is contructedconstructed:

Code Block
bgColor#ccccff

private static final SomeType [] THE_THINGS = { ... };
public static final List<SomeType> SOMETHINGS =
  Collections.unmodifiableList(Arrays.asList(THE_THINGS));

Now, neither the original array values nor the public list can be modified by a client. If SomeType were mutable, this would not be effective because the list references the same SomeType objects as the SOMETHINGS array. The unmodifiabileList prevents the list from being modified, not the elements in the list. If the client modified the list's SomeType objects directly, the SomeType objects referenced by the SOMETHINGS array would also change.

Risk Assessment

Having a public static final array is a potential security risk , as because the array elements may be modified by a client.

Guideline
Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC37

OBJ13-J

medium

Medium

likely

Likely

low

Low

P18

L1

Automated Detection

...

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ13.RMOAvoid referencing mutable fields
SonarQube
Include Page
SonarQube_V
SonarQube_V

S2386

S2384

Mutable fields should not be "public static"

Mutable members should not be stored or returned directly

SpotBugs

Include Page
SpotBugs_V
SpotBugs_V

MS_EXPOSE_REP
EI_EXPOSE_REP
EI_EXPOSE_STATIC_REP2
EI_EXPOSE_STATIC_REP2

Implemented (since 4.3.0)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

References

...

...

[

...

Bloch

...

2008]Item 13, "Minimize the Accessibility of Classes and Members"
[JLS 2015]§6.6, "Access Control"


...

Image Added Image Added Image Added|AA. Bibliography#Bloch 08]\] Item 13: Minimize the accessibility of classes and membersSEC36-J. Ensure that the bytecode verifier is applied to all involved code upon any modification      Platform Security (SEC)      03. Declarations and Initialization (DCL)