CWE-500 公开静态字段没有标记为Final

Public Static Field Not Marked Final

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: High

基本描述

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

扩展描述

Public static variables can be read without an accessor and changed without a mutator by any classes in the application.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 493 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 493 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: [{'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}]

常见的影响

可能的缓解方案

Architecture and Design

策略:

Clearly identify the scope for all critical data elements, including whether they should be regarded as static.

Implementation

策略:

Make any static fields private and constant. A constant field is denoted by the keyword 'const' in C/C++ and ' final' in Java

示例代码

例

The following examples use of a public static String variable to contain the name of a property/configuration file for the application.

bad C++

bad Java

Having a public static variable that is not marked final (constant) may allow the variable to the altered in a way not intended by the application. In this example the String variable can be modified to indicate a different on nonexistent properties file which could cause the application to crash or caused unexpected behavior.

good C++

good Java

分类映射