• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S1873.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S1873.html Maven / Gradle / Ivy

Public arrays, even ones declared static final can have their contents edited by malicious programs. The final keyword on an array declaration means that the array object itself may only be assigned once, but its contents are still mutable. Therefore making arrays public is a security risk.
Instead, arrays should be private and accessed through methods.
Noncompliant Code Example

public class Estate {
  // Noncompliant; array contents can be modified
  public static final String [] HEIRS = new String [] { 
    "Betty", "Suzy" };
}

public class Malicious {
  public void changeWill() {
    Estate.HEIRS[0] = "Biff";
    if (Estate.HEIRS.length > 1) {
      for (int i = 1; i < Estate.HEIRS.length; i++) {
        Estate.HEIRS[i] = "";
      }
  }
}

Compliant Solution

public class Estate {
  private static final String [] HEIRS = new String [] { 
    "Betty", "Suzy" };

  public String [] getHeirs() {
    // return copy of HEIRS
  }
}


See


 MITRE, CWE-582 - Array Declared Public, Final, and Static
 MITRE, CWE-607 - Public Static Final Field References Mutable Object