CWE-487 依赖包一级的范围

Reliance on Package-level Scope

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: Medium

基本描述

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

扩展描述

The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 664 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Confidentiality Read Application Data Any data in a Java package can be accessed outside of the Java framework if the package is distributed.
Integrity Modify Application Data The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.

可能的缓解方案

['Architecture and Design', 'Implementation']

策略:

Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.

示例代码

The following example demonstrates the weakness.

bad Java

package math;
public class Lebesgue implements Integration{
public final Static String youAreHidingThisFunction(functionToIntegrate){

return ...;
}
}

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Relying on package-level scope
The CERT Oracle Secure Coding Standard for Java (2011) MET04-J Do not increase the accessibility of overridden or hidden methods