Corgea LogoCorgea Security Hub

CWE-582: Array Declared Public, Final, and Static

Learn about CWE-582 (Array Declared Public, Final, and Static), its security impact, exploitation methods, and prevention guidelines.

What is Array Declared Public, Final, and Static?

• Overview: Public, final, and static arrays in Java are vulnerable because while their reference cannot be changed, their content can be modified by any external code, leading to potential security issues.

• Exploitation Methods:

  • Attackers can directly modify the contents of the array since it is accessible from anywhere in the code.
  • Common attack patterns include replacing legitimate data with malicious data, or extracting sensitive information stored in the array.

• Security Impact:

  • Direct consequences include data integrity issues and unauthorized data modification.
  • Potential cascading effects involve compromised application logic and security, leading to broader system vulnerabilities.
  • Business impact could involve data breaches, loss of customer trust, and non-compliance with data protection regulations.

• Prevention Guidelines:

  • Use private arrays and provide controlled access through methods that return copies or read-only views.
  • Implement security best practices by encapsulating data and limiting visibility to internal classes only.
  • Recommended tools and frameworks include static analysis tools to detect improper visibility and mutability of fields, and using libraries that support immutable collections.
Corgea can automatically detect and fix Array Declared Public, Final, and Static in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Java

Affected Technologies: Not specified

Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your product is running.

Vulnerable Code Example

// This code demonstrates a vulnerability where a public, static, and final array can be modified
public class Config {
    // Vulnerable: The array is public, static, and final, making it accessible and modifiable by external code
    public static final String[] SERVERS = {"server1.example.com", "server2.example.com"};

    public static void main(String[] args) {
        // Potentially malicious code can modify the SERVERS array
        SERVERS[0] = "malicious.example.com"; // The original array is altered
        System.out.println(SERVERS[0]); // Outputs: malicious.example.com
    }
}

How to fix Array Declared Public, Final, and Static?

To fix the vulnerability, follow these steps:

  1. Encapsulation: Change the array's visibility to private to prevent direct access.
  2. Immutable Access: Provide public methods to access the array's content in an immutable manner.
  3. Defensive Copying: Return a copy of the array when it needs to be accessed externally, ensuring the original array cannot be altered.

These steps ensure that the array cannot be modified by external code, thus protecting the integrity of the data.

Fixed Code Example

// Fixed code implementing encapsulation and defensive copying
public class Config {
    // The array is now private to restrict direct access
    private static final String[] SERVERS = {"server1.example.com", "server2.example.com"};

    // Public method to access a copy of the array, ensuring immutability
    public static String[] getServers() {
        return SERVERS.clone(); // Defensive copying to prevent modification of the original array
    }

    public static void main(String[] args) {
        // Accessing the SERVERS array through the provided method
        String[] servers = Config.getServers();
        // Attempting to modify the array will not affect the original
        servers[0] = "malicious.example.com";
        System.out.println(Config.getServers()[0]); // Outputs: server1.example.com (unmodified)
    }
}

In the fixed version, the SERVERS array is private, and modifications are prevented by returning a clone of the array. This ensures the original array remains unchanged, maintaining the integrity of the application's configuration. The code follows Java best practices by encapsulating the array and providing controlled access through a public method.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-582: Array Declared Public, Final, and Static and get remediation guidance

Start for free and no credit card needed.