rspec/rules/S1873/rule.adoc

== Why is this an issue?

Public arrays, even ones declared ``++static final++`` can have their contents edited by malicious programs. The ``++final++`` keyword on an array declaration means that the array object itself may only be assigned once, but its contents are still mutable. Therefore making arrays ``++public++`` is a security risk.


Instead, arrays should be private and accessed through methods.


=== Noncompliant code example

[source,text]
----
public class Estate {
  // Noncompliant; array contents can be modified
  public static final String [] HEIRS = new String [] { 
    "Betty", "Suzy" };
}

public class Malicious {
  public void changeWill() {
    Estate.HEIRS[0] = "Biff";
    if (Estate.HEIRS.length > 1) {
      for (int i = 1; i < Estate.HEIRS.length; i++) {
        Estate.HEIRS[i] = "";
      }
  }
}
----


=== Compliant solution

[source,text]
----
public class Estate {
  private static final String [] HEIRS = new String [] { 
    "Betty", "Suzy" };

  public String [] getHeirs() {
    // return copy of HEIRS
  }
}

----


== Resources

* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static]
* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object]
* https://wiki.sei.cmu.edu/confluence/x/LjdGBQ[CERT, OBJ01-J.] - Limit accessibility of fields
* https://wiki.sei.cmu.edu/confluence/x/VzZGBQ[CERT, OBJ13-J.] - Ensure that references to mutable objects are not exposed

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make this array "private".


'''
== Comments And Links
(visible only on this page)

=== on 30 Jul 2014, 21:24:47 Freddy Mallet wrote:
FYI [~ann.campbell.2], I've just added the two tags "security" and "cwe"


endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Fix the double-plus ++ handling in the inline-code 2021-01-27 16:55:38 +01:00			Public arrays, even ones declared ``++static final++`` can have their contents edited by malicious programs. The ``++final++`` keyword on an array declaration means that the array object itself may only be assigned once, but its contents are still mutable. Therefore making arrays ``++public++`` is a security risk.
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`Instead, arrays should be private and accessed through methods.`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`----`
			`public class Estate {`
			`// Noncompliant; array contents can be modified`
			`public static final String [] HEIRS = new String [] {`
			`"Betty", "Suzy" };`
			`}`

			`public class Malicious {`
			`public void changeWill() {`
			`Estate.HEIRS[0] = "Biff";`
			`if (Estate.HEIRS.length > 1) {`
			`for (int i = 1; i < Estate.HEIRS.length; i++) {`
			`Estate.HEIRS[i] = "";`
			`}`
			`}`
			`}`
			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`----`
			`public class Estate {`
			`private static final String [] HEIRS = new String [] {`
			`"Betty", "Suzy" };`

			`public String [] getHeirs() {`
			`// return copy of HEIRS`
			`}`
			`}`

			`----`


migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/582[CWE-582 - Array Declared Public, Final, and Static]`
			`* CWE - https://cwe.mitre.org/data/definitions/607[CWE-607 - Public Static Final Field References Mutable Object]`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`* https://wiki.sei.cmu.edu/confluence/x/LjdGBQ[CERT, OBJ01-J.] - Limit accessibility of fields`
			`* https://wiki.sei.cmu.edu/confluence/x/VzZGBQ[CERT, OBJ13-J.] - Ensure that references to mutable objects are not exposed`

Add missing asciidoc includes 2022-01-25 18:36:46 +01:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make this array "private".`

Add missing asciidoc includes 2022-01-25 18:36:46 +01:00
			`'''`
			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 30 Jul 2014, 21:24:47 Freddy Mallet wrote:`
			`FYI [~ann.campbell.2], I've just added the two tags "security" and "cwe"`

Add missing asciidoc includes 2022-01-25 18:36:46 +01:00
			`endif::env-github,rspecator-view[]`