Invariants cannot be enforced for public nonfinal fields, or final fields that reference a mutable object. A protected member of an exported class represents a public commitment to an implementation detail. Attackers can manipulate such fields to violate class invariants or they may be corrupted by multiple threads accessing them concurrently [Bloch 2008]. As a result, fields must be declared private or package-private.
Noncompliant Code Example (Public Primitive Field)
In this noncompliant code example, the total field tracks the total number of elements as they are added and removed from a container using the methods add() and remove() respectively.
public class Widget {
public int total; // Number of elements
void add() {
if (total < Integer.MAX_VALUE) {
total++;
// ...
} else {
throw new ArithmeticException("Overflow");
}
}
void remove() {
if (total > 0) {
total--;
// ...
} else {
throw new ArithmeticException("Overflow");
}
}
}
As a public field, total can be altered by client code independently of the add() and remove() methods.
Compliant Solution (Private Primitive Field)
Accessor methods provide controlled access to fields outside of the package in which their class is declared. This compliant solution declares total as private and provides a public accessor. The add() and remove() methods modify its value while preserving class invariants.
public class Widget {
private int total; // Declared private
public int getTotal () {
return total;
}
// Definitions for add() and remove() remain the same
}
Accessor methods can perform additional functions, such as input validation and security manager checks, before manipulating the state.
Noncompliant Code Example (Public Mutable Field)
This noncompliant code example shows a static mutable hash map with public accessibility:
public static final HashMap<Integer, String> hm = new HashMap<Integer, String>();
Compliant Solution (Private Mutable Fields)
Mutable fields must be declared private:
private static final HashMap<Integer, String> hm = new HashMap<Integer, String>();
public static String getElement(int key) {
return hm.get(key);
}
Depending on the required functionality, accessor methods may return a copy of the HashMap or a value contained by the HashMap. This compliant solution adds an accessor method that returns the value of an element given its key in the HashMap. Make sure that you do not return references to private mutable objects from accessor methods (see OBJ05-J. Do not return references to private mutable class members for details).
Noncompliant Code Example (Public Final Array)
A nonzero-length array is always mutable. Declaring a public final array is a potential security risk as the array elements may be modified by a client.
public final SomeType [] SOMETHINGS = { ... };
Compliant Solution (Copy the Array)
This compliant solution declares the array private and provides a public accessor method that returns a copy of the array:
private final SomeType [] SOMETHINGS = { ... };
public final SomeType [] somethings() {
return SOMETHINGS.clone();
}
This approach prevents the elements of the class instance of the array from being modified by a client.
Compliant Solution (Construct an Immutable Object)
An alternative approach is to have a private array from which a public immutable list is contructed:
private final SomeType [] THE_THINGS = { ... };
public final List<SomeType> SOMETHINGS =
Collections.unmodifiableList(Arrays.asList(THE_THINGS));
Neither the class instance field nor the public list can be modified by a client.
Exceptions
OBJ01-EX0: Fields with no associated behavior or invariants can be public. According to Sun's Code Conventions document [Conventions 2009]:
One example of appropriate public instance variables is the case where the class is essentially a data structure, with no behavior. In other words, if you would have used a
structinstead of a class (if Java supportedstruct), then it's appropriate to make the class's instance variablespublic.
OBJ01-EX1: Fields in a package-private class or in a private nested class may be pubic or protected. There is nothing inherently wrong with declaring fields to be public or protected in these cases. Eliminating accessor-methods generally improves the readability of the code, both in the class definition and in the client [Bloch 2008].
OBJ01-EX2: Static final fields that contain or reference immutable constants may be public or protected.
Risk Assessment
Failing to limit field accessibility can defeat encapsulation, allow attackers to manipulate fields to violate class invariants, or allow these fields to be corrupted as the result of concurrent accesses from multiple threads.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ01-J | Medium | Likely | Medium | P12 | L1 |
Automated Detection
Detection of public and protected fields is trivial; heuristic detection of the presence or absence of accessor methods is straightforward. However, simply reporting all detected cases without suppressing those cases covered by the exceptions to this rule would produce excessive false positives. Sound detection and application of the exceptions to this rule is infeasible; however, heuristic techniques may be useful.
Related Guidelines
CWE-766, Critical Variable Declared Public | |
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 3-2. Define wrapper methods around modifiable internal state |
Bibliography
Item 13, "Minimize the Accessibility of Classes and Members" | |
[JLS 2005] | |
Section 2.2, "Public Fields" |
OBJ00-J. Limit the extensibility of classes and methods with invariants 
