A nested class is any class whose declaration occurs within the body of another class or interface [[JLS 2005]]. Nested classes are a broad set of classes that are classified as static
classes and inner classes. "An inner class is a nested class that is not explicitly or implicitly declared static
" [[JLS 2005]]. An inner class may be local, anonymous, or non-static.
The use of a nested class is error-prone unless the semantics are well understood. A common notion is that only the outer class can access the contents of the nested class. Not only does the nested class have access to the private
fields of the outer class, the same fields can be accessed by another class in the package depending on whether the nested class is declared public
or if it contains public
methods or constructors. By default, the javac
compiler converts the accessibility of private
methods of a nested class to package-private.
Also, according to the Java Language Specification [[JLS 2005]], Section 8.3 "Field Declarations"
Note that a
private
field of a superclass might be accessible to a subclass (for example, if both classes are members of the same class). Nevertheless, aprivate
field is never inherited by a subclass.
Noncompliant Code Example
This noncompliant code example exposes the sensitive (x,y)
coordinates through the getPoint()
method of the inner class. Consequently, the AnotherClass
class that belongs to the same package can access the coordinates.
class Coordinates { private int x; private int y; public class Point { public void getPoint() { System.out.println("(" + x + "," + y + ")"); } } } class AnotherClass { public static void main(String[] args) { Coordinates c = new Coordinates(); Coordinates.Point p = c.new Point(); p.getPoint(); } }
Compliant Solution
Use the private
access specifier for hiding the inner class and all contained methods and constructors. The compiler will refuse to compile AnotherClass
because of its attempt to access a private nested class.
class Coordinates { private int x; private int y; private class Point { private void getPoint() { System.out.println("(" + x + "," + y + ")"); } } } class AnotherClass { public static void main(String[] args) { Coordinates c = new Coordinates(); Coordinates.Point p = c.new Point(); // fails to compile p.getPoint(); } }
Risk Assessment
The Java Language System weakens the accessibility of sensitive, private
entities in inner classes which can result in a security weakness.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
OBJ14-J |
medium |
probable |
medium |
P8 |
L2 |
Automated Detection
Automated detection of non-private nested classes that define non-private members and constructors is straight-forward. However, this guideline applies only when those classes could potentially expose sensitive data or operations from the outer class. Detection of sensitive data or operations requires programmer assistance.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
MITRE CWE: CWE-492 "Use of Inner Class Containing Sensitive Data"
Bibliography
[[JLS 2005]] Section 8.1.3, Inner Classes and Enclosing Instances and Section 8.3 "Field Declarations"
[[Long 2005]] Section 2.3, Inner Classes
[[McGraw 2000]]
OBJ13-J. Do not leak references to inner class objects when the outer class object maintains sensitive data 04. Object Orientation (OBJ) 05. Methods (MET)