CWE-487 依赖包一级的范围
Reliance on Package-level Scope
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: Medium
基本描述
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
扩展描述
The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 664 cwe_View_ID: 1000 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | Any data in a Java package can be accessed outside of the Java framework if the package is distributed. |
| Integrity | Modify Application Data | The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed. |
可能的缓解方案
['Architecture and Design', 'Implementation']
策略:
Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.
示例代码
例
The following example demonstrates the weakness.
bad Java
package math;
public class Lebesgue implements Integration{
}
public class Lebesgue implements Integration{
public final Static String youAreHidingThisFunction(functionToIntegrate){
return ...;
}
return ...;
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Relying on package-level scope | ||
| The CERT Oracle Secure Coding Standard for Java (2011) | MET04-J | Do not increase the accessibility of overridden or hidden methods |