CWE-607 公开静态最终域索引互斥的对象
Public Static Final Field References Mutable Object
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 471 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 471 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Integrity | Modify Application Data |
可能的缓解方案
Implementation
策略:
Protect mutable objects by making them private. Restrict access to the getter and setter as well.
示例代码
例
Here, an array (which is inherently mutable) is labeled public static final.
bad Java
public static final String[] USER_ROLES;
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| Software Fault Patterns | SFP23 | Exposed Data |