SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 38 Next »

Do not expose references to mutable objects to client code. Never initialize such a field to a client-provided object reference or return the object reference from an accessor. Exposing a public static final object allows clients to modify the contents of the object (although they will not be able to change the object itself, as it is final).

This rule does not address private mutable objects, see rule OBJ05-J. Do not return references to private mutable class members for more information.

Noncompliant Code Example

Suppose that SomeType is immutable.

public static final SomeType [] SOMETHINGS = { ... };

This declaration allows the SOMETHINGS array to be modified by untrusted clients of the code. Any element of the array can be assigned a new value.

This noncompliant code example also violates OBJ01-J. Limit accessibility of fields.

Noncompliant Code Example (getter method)

This noncompliant code example complies with OBJ01-J by declaring the array private.

private static final SomeType [] SOMETHINGS = { ... };
public static final getSomethings() {return SOMETHINGS;}

However, the public getter method enables untrusted clients to modify the SOMETHINGS array.

Compliant Solution (clone)

One approach is to have a private array and a public method that returns a copy of the array:

private static final SomeType [] SOMETHINGS = { ... };
public static final SomeType [] somethings() {
  return SOMETHINGS.clone();
}

Now, the original array cannot be modified by any client.

Compliant Solution (Unmodifiable List)

An alternative approach is to have a private array from which a public immutable list is constructed:

private static final SomeType [] THE_THINGS = { ... };
public static final List<SomeType> SOMETHINGS =
  Collections.unmodifiableList(Arrays.asList(THE_THINGS));

Now, neither the original array values nor the public list can be modified by a client.

Risk Assessment

Having a public static final array is a potential security risk because the array elements may be modified by a client.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

OBJ13-J

Medium

Likely

Low

P18

L1

Automated Detection

ToolVersionCheckerDescription
SonarQube
9.9

S2386

S2384

Mutable fields should not be "public static"

Mutable members should not be stored or returned directly

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

References

[Bloch 2008]Item 13, "Minimize the Accessibility of Classes and Members"
[JLS 2015]§6.6, "Access Control"



  • No labels