[jira] [Assigned] (FINERACT-436) Fix security vulnerabilities related to using public mutable and nonconstant fields

Wed, 17 May 2017 02:45:30 -0700 

     [ 
https://issues.apache.org/jira/browse/FINERACT-436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Santosh Math reassigned FINERACT-436:
-------------------------------------

    Assignee: Markus Geiss  (was: Santosh Math)

> Fix security vulnerabilities related to using public mutable and nonconstant 
> fields
> -----------------------------------------------------------------------------------
>
>                 Key: FINERACT-436
>                 URL: https://issues.apache.org/jira/browse/FINERACT-436
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Accounting, Organization
>            Reporter: Thisura
>            Assignee: Markus Geiss
>             Fix For: 1.0.0
>
>
> There are multiple security vulnerabilities found in fineract-provider as 
> described in [this report 
> \[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
> There are four types of vulnerabilities related to using public mutable and 
> nonconstant fields.
> 1. Mutable fields should not be "public static"
>      * MITRE, CWE-582 - Array Declared Public, Final, and Static
>      * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 2. "static final" arrays should be "private"
>      * MITRE, CWE-582 - Array Declared Public, Final, and Static
>      * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 3. "public static" fields should be constant
>      * MITRE, CWE-500 - Public Static Field Not Marked Final
>      * CERT OBJ10-J - Do not use public static nonfinal variable
> 4. "enum" fields should not be publicly mutable
> The reported incident of type 2 is considered to be false positive. 1,3,4 
> types are present as described in the 
> [report\[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
> The proposed 
> [solutions\[2\]|https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U]
>  are as follows.(Solutions are respective to each vulnerability type above)
> 1. Mutable fields should not be "public static" => Make the respective 
> members protected. If they are in a class move them to a separate class and 
> lower the visibility.
> 2. "static final" arrays should be "private" => Make the arrays private
> 3. "public static" fields should be constant => Make the respective field 
> final
> 4. "enum" fields should not be publicly mutable => Lower the visibility of 
> the setter.  Remove it altogether. 
> \[1\] 
> https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
> \[2\] 
> https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to