Failure to Protect Class Data with Accessors

From Guidance Share

Jump to: navigation, search

Contents

Description

Internal class data should be protected from direct modification.

Applies To

  • Languages: Java, C++
  • Operating platforms: Any

Example

The following code shows public data that is not protected by an accessor:

public:
int someNumberPeopleShouldntMessWith;

This data should be private and modified through a public accessor.

Impact

  • Integrity: The object could be tampered with.

Vulnerabilities

  • Exposing internal class data directly to callers

Countermeasures

  • Design through Implementation: Use private members, and class accessor methods to their full benefit. This is the recommended mitigation. Make all public members private, and -- if external access is necessary -- use accessor functions to do input validation on all values.
  • Implementation: Data should be private, static, and final whenever possible This will assure that your code is protected by instantiating early, preventing access and preventing tampering.
  • Implementation: Use sealed classes. Using sealed classes protects object-oriented encapsulation paradigms and therefore protects code from being extended in unforeseen ways.
  • Implementation: Use class accessor methods to their full benefit. Use the accessor functions to do input validation on all values intended for private values.

Vulnerability Patterns

How Tos

Personal tools