You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@fineract.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/07/05 01:15:00 UTC

[jira] [Commented] (FINERACT-470) Fix security vulnerabilities related to using public mutable and nonconstant fields

    [ https://issues.apache.org/jira/browse/FINERACT-470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16074147#comment-16074147 ] 

ASF GitHub Bot commented on FINERACT-470:
-----------------------------------------

GitHub user ThisuraThejith opened a pull request:

    https://github.com/apache/fineract/pull/379

    Extended fix for FINERACT-470

    resolved the rest of the issues related to FINERACT-470

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ThisuraThejith/incubator-fineract FINERACT-470

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/fineract/pull/379.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #379
    
----
commit e590ed61c4b5ebfe7e6f66723a9c56e4740a8116
Author: ThisuraThejith <tt...@gmail.com>
Date:   2017-07-05T01:15:06Z

    resolved the rest of the issues related to FINERACT-470

----


> Fix security vulnerabilities related to using public mutable and nonconstant fields
> -----------------------------------------------------------------------------------
>
>                 Key: FINERACT-470
>                 URL: https://issues.apache.org/jira/browse/FINERACT-470
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: System
>            Reporter: Thisura
>            Assignee: Markus Geiss
>              Labels: p1
>
> There are multiple security vulnerabilities found in fineract-provider as described in this report [1]
> There are four types of vulnerabilities related to using public mutable and nonconstant fields.
> 1. Mutable fields should not be "public static"
>     * MITRE, CWE-582 - Array Declared Public, Final, and Static
>     * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 2. "static final" arrays should be "private"
>     * MITRE, CWE-582 - Array Declared Public, Final, and Static
>     * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 3. "public static" fields should be constant
>     * MITRE, CWE-500 - Public Static Field Not Marked Final
>     * CERT OBJ10-J - Do not use public static nonfinal variable
> 4. "enum" fields should not be publicly mutable
> The reported incident of type 2 is considered to be false positive. 1,3,4 types are present as described in the report[1]
> The proposed solutions[2] are as follows.(Solutions are respective to each vulnerability type above)
> 1. Mutable fields should not be "public static" => Make the respective members protected. If they are in a class move them to a separate class and lower the visibility.
> 2. "static final" arrays should be "private" => Make the arrays private
> 3. "public static" fields should be constant => Make the respective field final
> 4. "enum" fields should not be publicly mutable => Lower the visibility of the setter. Remove it altogether.
> Some of the issues were fixed in [FINERACT-436 \[3\]|https://github.com/apache/fineract/pull/343]. The rest should be covered in this ticket.
> [1] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
> [2] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
> [3] https://github.com/apache/fineract/pull/343



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)