This page contains adhoc TODO ideas or topics being currently investigated. Please feel free to comment on these or suggest new ones.
Possible Changes to Current Guidelines
- All classes, methods will need to include the final keyword. Although this is against extensibility, it is critical from the security point of view.
- All file separators must be replaced by platform independent File.separator
Possibly use the memento design pattern with deserialization. An inner class performs input validation using 'safe' objects, for example,
longto storeintvals and then updates the state of the actual outer class and so on..., Item 50 [Daconta 03]
- readResolve() for deserialization (singletons). Do not serialize sensitive external mutable variables (best to declare them transient)
- Calling clone.super() is necessary.
Possible Recommendations
- Careful while using environment variables - investigate usual conditions
Use HttpSession carefully, Item 25 [Daconta 03]
For good portability, do not make the assumption - all DBMSs can tolerate several open ResultSet Objects at a time, Item 41 [Daconta 03]
- Thread.interrupted issues
- Java encoding issues
- Prefer composition over inheritance
- Avoid flaws in interfaces
- Naming conventions
- Check nonpublic method's params using assertions rather than normal checks
- Create defensive copies of method params
- Prefer interfaces to abstract classes
- Prefer interfaces to Reflection (methods)
- Failure Atomicity (exceptions should not leave object state inconsistent)
- Avoid ThreadGroup APIs
- Masking, Shadowing, Obscuration
Possible Rules
- Do not catch
Error
- Avoid using Reflection to instantiate inner classes
Use a typesafe enum pattern [Bloch, Item 20]
- Some of the anti-patterns described in EXC00-J. Handle exceptions appropriately
- Do not hardcode sensitive information
compareTo()contract violations like natural ordering that is not consistent withequals
- Don't catch Throwable without checking for ThreadDeath.
Usage of
GetResourcemay be unsafe if class is extended [Findbugs]