Recipe Name:
Collections: Do not expose internal Sets
Description:
Do not expose an internal Set as it is mutable. Return a copy or immutable view.
Level:
marked_information
Language:
- java
Tags:
- security
- Java basic
- quality
Documentation
Class methods should return immutable copies of private member variables of type java.util.Collection
to prevent external changes to the state of the object. This is the encapsulation principle of OOP.
Returning an instance's private field of type java.util.Set
allows external manipulation of the internal state of an instance of the class because the collections are mutable. This can lead to unexpected program behavior when external classes manipulate data in the collection, especially in multi-threaded situations. Class methods should return immutable copies of private member variables of type java.util.Set
public class SetExample { private Set<String> mySet; public Set<String> getMySet() { return mySet; } }After
public class SetExample { private Set<String> mySet; public Set<String> getMySet() { return java.util.Collections.unmodifiableSet(mySet); } }Resources
- Wikipedia definition of Encapsulation (computer programming)
- SEI CERT Oracle Coding Standard for Java OBJ05-J. Do not return references to private mutable class members
- Mitre CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Recipe
id: scw:java:internal-set version: 10 metadata: name: 'Collections: Do not expose internal Sets' shortDescription: Do not expose an internal Set as it is mutable. Return a copy or immutable view. level: marked_information language: java cweCategory: 200 enabled: true descriptionFile: descriptions/DonotexposeinternalCollection-set.html tags: security;Java basic;quality search: return: in: typeDeclaration: member: field: modifier: matches: (private|protected) name: '{{{returnValue.name}}}' type: reference: matches: java.util.Set.* checkInheritance: true value: reference: name: '{{{returnValue.name}}}' availableFixes: - name: Return an unmodifiable Set actions: - rewrite: to: return java.util.Collections.unmodifiableSet({{{ returnValue }}});