logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Inappropriate coding practices - Scala

Need

Enforce proper encapsulation in code implementation

Context

  1. Usage of Scala for building scalable and high-performance applications

Description

Insecure Code Example

package models

class User {
  public var username: String = ""
  public var password: String = ""
}

The above Scala code defines a class `User` with two public fields: `username` and `password`. According to the principles of Object-Oriented Programming (OOP), one of the fundamental concepts is Encapsulation, which is used to hide the values or state of a structured data object inside a class, preventing unauthorized parties' direct access to them. However, in the given code, the fields `username` and `password` are declared as `public`, which means they can be accessed and modified directly from any part of the application. This violates the principle of Encapsulation and can potentially lead to data integrity issues, as well as security vulnerabilities. For instance, a malicious user could potentially alter the `username` or `password` of a `User` object, leading to unauthorized access or other potential security issues.

Steps

  1. Step 1: Change the access modifiers of the fields in the User class from public to private.
  2. Step 2: Add getter and setter methods for the username and password fields.
  3. Step 3: Update the code that accesses the username and password fields to use the getter and setter methods instead.

Secure Code Example

package models

class User {
  private var _username: String = ""
  private var _password: String = ""

  def username = _username
  def username_=(value: String): Unit = _username = value

  def password = _password
  def password_=(value: String): Unit = _password = value
}

The original code had a vulnerability due to inappropriate coding practices. The fields of the `User` class were defined as public, which does not respect the encapsulation principle. This could potentially allow unauthorized access and modification of these fields, leading to security risks. The fixed code changes the access modifiers of the `username` and `password` fields from public to private, respecting the encapsulation principle. This means that these fields can now only be accessed and modified within the `User` class itself. In addition, getter and setter methods have been added for the `username` and `password` fields. These methods provide a controlled way of accessing and modifying the fields. The getter methods (`username` and `password`) return the value of the respective field, while the setter methods (`username_=` and `password_=`) allow the value of the respective field to be changed. Any code that previously accessed the `username` and `password` fields directly will need to be updated to use these getter and setter methods instead. This ensures that the fields are accessed and modified in a controlled way, reducing the risk of unauthorized access or modification.

References

  • 138 - Inappropriate coding practices

    • Last updated

    2023/09/18