Classes and class members (classes, interfaces, fields and methods) are subject to access control in Java. The access is indicated by an access modifier: public, protected, private, or the absence of an access modifier (the default access). A simplified view of the access control rules is summarized in the following table. An 'x' conveys that the particular access is permitted from within that domain.
Access Specifier |
class |
package |
sub-class |
world |
|---|---|---|---|---|
private |
x |
|
|
|
none |
x |
x |
|
|
protected |
x |
x |
x* |
|
public |
x |
x |
x |
x |
*For referencing protected members, the accessing class can be a sub-class in either the same or a different package.
Classes and class members should be given the minimum access possible so that malicious code has the least chance of manipulating the system. As far as possible, sensitive classes should avoid implementing interfaces. This is because only public methods are allowed to be declared within interfaces and these carry forward to the public API of the class. An exception is implementing an unmodifiable interface that exposes a public immutable view of a mutable object (SEC01-J. Provide sensitive mutable classes with unmodifiable wrappers). Additionally, be aware that even if a class's visibility is default, it can be susceptible to misuse if it exposes a public method.
Noncompliant Code Example
In this noncompliant example, the class PublicClass is declared public. The member function getPoint as well as the (x, y) coordinates are also declared public. This gives world-access to the class members. A real world vulnerability, for example, can arise when a malicious applet attempts to access the credit card field of another object that is declared public. Note that a non-public class is also vulnerable if its members are declared public.
public class PublicClass {
public int x;
public int y;
public void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
Compliant Solution
Limiting the scope of classes, interfaces, methods and fields as far as possible reduces the chance of malicious manipulation. Limit the accessibility depending on the desired implementation scope. This also helps eliminate the threat of malicious overriding. The most restrictive access conditions are demonstrated in this compliant solution.
final class PrivateClass {
private int x;
private int y;
private void getPoint() {
System.out.println("(" + x + "," + y + ")");
}
}
Risk Assessment
Granting unnecessary access weakens the security of Java applications.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
SEC05-J |
medium |
likely |
medium |
P12 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[JLS 05]] Section 6.6, Access Control
[[SCG 07]] Guideline 1-1 Limit the accessibility of classes, interfaces, methods, and fields
[[Campione 96]] Access Control
[[McGraw 00]] Chapter 3, Java Language Security Constructs
[[Bloch 08]] Item 13: Minimize the accessibility of classes and members
SEC06-J. Assume that all Java clients can be reverse engineered, monitored, and modified 01. Platform Security (SEC) ENV30-J. Create a secure sandbox using a Security Manager