Inappropriate coding practices
Need
Enforcement of proper encapsulation in coding practices
Context
- Usage of Java for building cross-platform applications
Description
Non compliant code
package com.example;
public class User {
public String name;
public String email;
public String password;
}
The above code represents a User class in a typical Java backend application. This class has three fields: name, email, and password. All of these fields are defined as public.
In Java, fields are typically private, and can be accessed or modified using getter and setter methods. This is a key principle of encapsulation, one of the four fundamental principles of Object-Oriented Programming (OOP).
Encapsulation is the mechanism of hiding data implementation by restricting access to public methods. Instance variables are kept private and accessor methods (getters and setters) are provided to manipulate these variables. Thus, encapsulation makes the variables of the class private and provides public methods for them.
However, in the provided code, the fields are public. This means that they can be accessed directly from outside the class, which violates the principle of encapsulation. This could potentially lead to inappropriate use or manipulation of the data, which could in turn lead to security risks, especially considering that one of the fields is 'password'.
Steps
- Use access modifiers to control the visibility of class fields
- Declare the fields as private to enforce encapsulation
- Provide getter and setter methods to access and modify the fields
Compliant code
package com.example;
public class User {
private String name;
private String email;
private String password;
// Getter methods
public String getName() {
return this.name;
}
public String getEmail() {
return this.email;
}
public String getPassword() {
return this.password;
}
// Setter methods
public void setName(String name) {
this.name = name;
}
public void setEmail(String email) {
this.email = email;
}
public void setPassword(String password) {
this.password = password;
}
}
The original code had a vulnerability due to inappropriate coding practices. The fields of the User class were declared as public, which violates the principle of encapsulation in object-oriented programming. Encapsulation is a mechanism that binds together the data and functions that manipulate the data and keeps both safe from outside interference and misuse.
To fix this vulnerability, the fields name, email, and password have been declared as private. This restricts their visibility only to the User class and they cannot be directly accessed from outside the class.
To provide access to these fields, getter and setter methods have been added. The getter methods (getName(), getEmail(), and getPassword()) return the value of the respective fields. The setter methods (setName(String), setEmail(String), and setPassword(String)) set the value of the respective fields.
This way, the fields can be accessed and modified in a controlled manner, respecting the principle of encapsulation.