CWE-493: Critical Public Variable Without Final Modifier
Critical Public Variable Without Final Modifier
Weakness ID: 493 (Weakness Variant)
Status: Draft
Description
Description Summary
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
Extended Description
If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.
Time of Introduction
Implementation
Applicable Platforms
Languages
Java
C++
Common Consequences
Scope
Effect
Integrity
Technical Impact: Modify application
data
The object could potentially be tampered with.
Confidentiality
Technical Impact: Read application
data
The object could potentially allow the object to be read.
Likelihood of Exploit
High
Demonstrative Examples
Example 1
Suppose this WidgetData class is used for an e-commerce web site.
The programmer attempts to prevent price-tampering attacks by setting the
price of the widget using the constructor.
(Bad Code)
Example
Language: Java
public final class WidgetData extends Applet {
public float price;
...
public WidgetData(...) {
this.price = LookupPrice("MyWidgetType");
}
}
The price field is not final. Even though the value is set by the
constructor, it could be modified by anybody that has access to an
instance of WidgetData.
Example 2
Assume the following code is intended to provide the location of a
configuration file that controls execution of the application.
(Bad Code)
Example
Language: C++
public string configPath = "/etc/application/config.dat";
(Bad Code)
Example
Language: Java
public String configPath = new
String("/etc/application/config.dat");
While this field is readable from any function, and thus might allow
an information leak of a pathname, a more serious problem is that it can
be changed by any function.
Potential Mitigations
Phase: Implementation
Declare all public fields as final when possible, especially if it is
used to maintain internal state of an Applet or of classes used by an
Applet. If a field must be public, then perform all appropriate sanity
checks before accessing the field from your code.
Background Details
Mobile code, such as a Java Applet, is code that is transmitted across a
network and executed on a remote machine. Because mobile code developers
have little if any control of the environment in which their code will
execute, special security concerns become relevant. One of the biggest
environmental threats results from the risk that the mobile code will run
side-by-side with other, potentially malicious, mobile code. Because all of
the popular web browsers execute code from multiple sources together in the
same JVM, many of the security guidelines for mobile code are focused on
preventing manipulation of your objects' state and behavior by adversaries
who have access to the same virtual machine where your program is
running.
Final provides security by only allowing non-mutable objects to be changed
after being set. However, only objects which are not extended can be made
final.
Description
