A non-empty array is always mutable, so a public static final array makes no sense; clients will be able to modify the contents of the array (although they will not be able to change the array itself, as it is final).
public static final SomeType [] SOMETHINGS = { ... };
|
With this declaration, {{SOMETHINGS\[1\]}}, etc. can be modified by clients of the code. |
One approach is to have a private array and a public method that returns a copy of the array:
private static final SomeType [] SOMETHINGS = { ... };
public static final SomeType [] somethings() {
return SOMETHINGS.clone();
}
|
Now, the original array values cannot be modified by a client.
An alternative approach is to have a private array from which a public immutable list is contructed:
private static final SomeType [] THE_THINGS = { ... };
public static final List<SomeType> SOMETHINGS =
Collections.unmodifiableList(Arrays.asList(THE_THINGS));
|
Now, neither the original array values nor the public list can be modified by a client.
Having a public static final array is a potential security risk, as the array elements may be modified by a client.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
SEC37-J |
medium |
likely |
low |
P18 |
L1 |
TODO
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[JLS 2006|AA. Bibliography#JLS 06]\] Section 6.6, Access Control \[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 13: Minimize the accessibility of classes and members |
SEC36-J. Ensure that the bytecode verifier is applied to all involved code upon any modification 02. Platform Security (SEC) 03. Declarations and Initialization (DCL)