Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

Do not expose references to mutable objects to client code. Never initialize such a field to a client-provided object reference or return the object reference from an accessor. Exposing a public static final object allows clients to modify the contents of the object (although they will not be able to change the object itself, as it is final). 

This rule does not address private mutable objects, see rule OBJ05-J. Do not return references to private mutable class members for more information.

Noncompliant Code Example

Suppose that SomeType is immutable.

Code Block
bgColor#FFCCCC
public static final SomeType [] SOMETHINGS = { ... };

With Even though SomeType is immutable, this declaration , SOMETHINGS[1], etc. can allows the SOMETHINGS array to be modified by untrusted clients of the code. Any element of the array can be assigned a new value, namely a reference to a new SomeType object.

This noncompliant code example also violates OBJ01-J. Limit accessibility of fields.

Noncompliant Code Example (getter method)

This noncompliant code example complies with OBJ01-J. Limit accessibility of fields by declaring the array private. But, in declaring the array private, this code example violates OBJ05-J. Do not return references to private mutable class members.

Suppose that SomeType is immutable.

Code Block
bgColor#FFCCCC
private static final SomeType [] SOMETHINGS = { ... };
public static final getSomethings() {return SOMETHINGS;} 

Even though SomeType is immutable, the public getter method enables untrusted clients to modify the SOMETHINGS array. Any element of the array can be assigned a new value, namely a reference to a new SomeType object.

Compliant Solution

...

(clone)

Continuing with the assumption that SomeType is immutable, one One approach is to have a private array and a public method that returns a copy of the array:

Code Block
bgColor#ccccff
private static final SomeType [] SOMETHINGS = { ... };
public static final SomeType [] somethings() {
  return SOMETHINGS.clone();
}

Now, the original array values cannot be modified by a clientany client.  If SomeType were mutable, this approach would not be effective because the array clone references the same SomeType objects as the SOMETHINGS array. If the client modified the clone SomeType objects directly, the SomeType objects referenced by the SOMETHINGS array would also change.

Compliant Solution

...

(Unmodifiable List)

Continuing with the assumption that SomeType is immutable, an An alternative approach is to have a private array from which a public immutable list is constructed:

...

Now, neither the original array values nor the public list can be modified by a client. If SomeType were mutable, this would not be effective because the list references the same SomeType objects as the SOMETHINGS array. The unmodifiabileList prevents the list from being modified, not the elements in the list. If the client modified the list's SomeType objects directly, the SomeType objects referenced by the SOMETHINGS array would also change.

Risk Assessment

Having a public static final array is a potential security risk because the array elements may be modified by a client.

Guideline
Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

SEC37

OBJ13-J

Medium

Likely

Low

Yes

No

P18

P12

L1

Automated Detection

...

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ13.RMOAvoid referencing mutable fields
SonarQube
Include Page
SonarQube_V
SonarQube_V

S2386

S2384

Mutable fields should not be "public static"

Mutable members should not be stored or returned directly

SpotBugs

Include Page
SpotBugs_V
SpotBugs_V

MS_EXPOSE_REP
EI_EXPOSE_REP
EI_EXPOSE_STATIC_REP2
EI_EXPOSE_STATIC_REP2

Implemented (since 4.3.0)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

References

[Bloch 2008]Item 13, "Minimize the Accessibility of Classes and Members"
[JLS 2015]§6.6, "Access Control"

 


...

Image Modified Image Modified Image Modified