Inappropriate coding practices
Need
Enforce proper encapsulation in code implementation
Context
- Usage of Scala for building scalable and high-performance applications
Description
Non compliant code
package models
class User {
public var username: String = ""
public var password: String = ""
}
The above Scala code defines a class User with two public fields: username and password.
According to the principles of Object-Oriented Programming (OOP), one of the fundamental concepts is Encapsulation, which is used to hide the values or state of a structured data object inside a class, preventing unauthorized parties' direct access to them.
However, in the given code, the fields username and password are declared as public, which means they can be accessed and modified directly from any part of the application. This violates the principle of Encapsulation and can potentially lead to data integrity issues, as well as security vulnerabilities.
For instance, a malicious user could potentially alter the username or password of a User object, leading to unauthorized access or other potential security issues.
Steps
- Step 1: Change the access modifiers of the fields in the User class from public to private.
- Step 2: Add getter and setter methods for the username and password fields.
- Step 3: Update the code that accesses the username and password fields to use the getter and setter methods instead.
Compliant code
package models
class User {
private var _username: String = ""
private var _password: String = ""
def username = _username
def username_=(value: String): Unit = _username = value
def password = _password
def password_=(value: String): Unit = _password = value
}
The original code had a vulnerability due to inappropriate coding practices. The fields of the User class were defined as public, which does not respect the encapsulation principle. This could potentially allow unauthorized access and modification of these fields, leading to security risks.
The fixed code changes the access modifiers of the username and password fields from public to private, respecting the encapsulation principle. This means that these fields can now only be accessed and modified within the User class itself.
In addition, getter and setter methods have been added for the username and password fields. These methods provide a controlled way of accessing and modifying the fields. The getter methods (username and password) return the value of the respective field, while the setter methods (username_= and password_=) allow the value of the respective field to be changed.
Any code that previously accessed the username and password fields directly will need to be updated to use these getter and setter methods instead. This ensures that the fields are accessed and modified in a controlled way, reducing the risk of unauthorized access or modification.