A nested class is any class whose declaration occurs within the body of another class or interface [[JLS 2005]]. Nested classes are a broad set of classes that are classified as static member and inner classes. "An inner class is a nested class that is not explicitly or implicitly declared static" [[JLS 2005]]. An inner class may be local, anonymous, or non-static.
The use of a nested class is error-prone unless the semantics are well understood. A common notion is that only the outer class can access the contents of the nested inner class(es). Not only does the nested class have access to the private fields of the outer class, the same fields can be accessed by another class in the package depending on whether the nested class is declared public or if it contains public methods/constructors. By default, the javac compiler converts the accessibility of private methods of a nested class to package-private.
Also, according to the Java Language Specification [[JLS 2005]], Section 8.3
"Field Declarations"
Note that a
privatefield of a superclass might be accessible to a subclass (for example, if both classes are members of the same class). Nevertheless, aprivatefield is never inherited by a subclass.
Noncompliant Code Example
This noncompliant code example exposes the sensitive (x,y) coordinates through the getPoint() method of the inner class. Consequently, the AnotherClass class that belongs to the same package can access the coordinates.
class Coordinates {
private int x;
private int y;
public class Point {
public void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
}
class AnotherClass {
public static void main(String[] args) {
Coordinates c = new Coordinates();
Coordinates.Point p = c.new Point();
p.getPoint();
}
}
Compliant Solution
Use the private access specifier for declaring the inner class(es) and all contained methods and constructors. The compiler will refuse to compile AnotherClass because of its attempt to access a private nested class.
class Coordinates {
private int x;
private int y;
private class Point {
private void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
}
class AnotherClass {
public static void main(String[] args) {
Coordinates c = new Coordinates();
Coordinates.Point p = c.new Point(); // fails to compile
p.getPoint();
}
}
Risk Assessment
The Java Language System weakens the accessibility of sensitive, private entities in inner classes which can result in a security weakness.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
OBJ17-J |
medium |
probable |
medium |
P8 |
L2 |
Automated Detection
Automated detection of non-private nested classes that define non-private members and constructors is straight-forward. However, this guideline applies only when those classes could potentially expose sensitive data or operations from the outer class. Detection of sensitive data or operations requires programmer assistance.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
MITRE CWE: CWE-492 "Use of Inner Class Containing Sensitive Data"
Bibliography
[[JLS 2005]] Section 8.1.3, Inner Classes and Enclosing Instances and Section 8.3 "Field Declarations"
[[McGraw 2000]]
[[Long 2005]] Section 2.3, Inner Classes
OBJ16-J. Don't pass a reference to an object of an inner class when the outer class maintains sensitive data 04. Object Orientation (OBJ) 05. Methods (MET)