fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thisura (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FINERACT-436) Fix security vulnerabilities related to using public mutable and nonconstant fields
Date Fri, 21 Apr 2017 20:20:04 GMT
Thisura created FINERACT-436:
--------------------------------

             Summary: Fix security vulnerabilities related to using public mutable and nonconstant
fields
                 Key: FINERACT-436
                 URL: https://issues.apache.org/jira/browse/FINERACT-436
             Project: Apache Fineract
          Issue Type: Bug
          Components: Accounting, Organization
            Reporter: Thisura
            Assignee: Markus Geiss


There are multiple security vulnerabilities found in fineract-provider as described in [this
report \[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]

There are four types of vulnerabilities related to using public mutable and nonconstant fields.

1. Mutable fields should not be "public static"
     * MITRE, CWE-582 - Array Declared Public, Final, and Static
     * MITRE, CWE-607 - Public Static Final Field References Mutable Object

2. "static final" arrays should be "private"
     * MITRE, CWE-582 - Array Declared Public, Final, and Static
     * MITRE, CWE-607 - Public Static Final Field References Mutable Object

3. "public static" fields should be constant
     * MITRE, CWE-500 - Public Static Field Not Marked Final
     * CERT OBJ10-J - Do not use public static nonfinal variable

4. "enum" fields should not be publicly mutable

The reported incident of type 2 is considered to be false positive. 1,3,4 types are present
as described in the [report|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4\[1\]]

The proposed [solutions|https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U\[2\]]
are as follows.(Solutions are respective to each vulnerability type above)
1. Mutable fields should not be "public static" => Make the respective members protected.
If they are in a class move them to a separate class and lower the visibility.

2. "static final" arrays should be "private" => Make the arrays private
3. "public static" fields should be constant => Make the respective field final
4. "enum" fields should not be publicly mutable => Lower the visibility of the setter.
 Remove it altogether. 

\[1\] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
\[2\] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message