Callers can trivially access and modify public non-final static fields. Neither accesses nor modifications can be checked by a SecurityManager, and newly set values can not be validated. Furthermore multiple threads can modify non-final public static data in ways that are not consistent.
Noncompliant code example
This is an example from the JDK 1.4.2 software.
package org.apache.xpath.compiler; public class FunctionTable { public static FuncLoader m_functions; }
An attacker can replace the function table as follows
FunctionTable.m_functions = <new_table>;
Replacing the function table gives the attacker access to the XPathContext used to evaluate XPath expression. Static variables are global across a Java runtime environment. They can be used as a communication channel between different application domains (e.g. by code loaded into different class loaders) .
There are a few ways this problem can be avoided.
Compliant Solution
Treat public static fields as constants and declare them as final. Consider the use of enum types.
package org.apache.xpath.compiler; public class FunctionTable { public static final FuncLoader m_functions; }
... public static final FuncLoader m_functions; ...
Additionally for mutable static state one can define assessor methods and add appropriate security checks.
public class MyClass { private static byte[] data; public static byte[] getData() { return data.clone(); } public static void setData(byte[] b) { securityCheck(); data = b.clone(); } }
Risk Assessment
Unauthorized modifications to public static variables can result in unexpected behavior and can bypass important security checks and/or invoke malicious code.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
OBJ31-J |
high |
likely |
low |
P9 |
L2 |
References
Avoiding Antipatterns Antipattern 5, Misusing Public Static Variables
Java Secure Coding Guidelines Section 3.1, Treat public static fields as constants
Function Table Field detail, public static FuncLoader m_functions