Description
There are multiple security vulnerabilities found in fineract-provider as described in this report [1]
There are four types of vulnerabilities related to using public mutable and nonconstant fields.
1. Mutable fields should not be "public static"
- MITRE, CWE-582 - Array Declared Public, Final, and Static
- MITRE, CWE-607 - Public Static Final Field References Mutable Object
2. "static final" arrays should be "private" - MITRE, CWE-582 - Array Declared Public, Final, and Static
- MITRE, CWE-607 - Public Static Final Field References Mutable Object
3. "public static" fields should be constant - MITRE, CWE-500 - Public Static Field Not Marked Final
- CERT OBJ10-J - Do not use public static nonfinal variable
4. "enum" fields should not be publicly mutable
The reported incident of type 2 is considered to be false positive. 1,3,4 types are present as described in the report[1]
The proposed solutions[2] are as follows.(Solutions are respective to each vulnerability type above)
1. Mutable fields should not be "public static" => Make the respective members protected. If they are in a class move them to a separate class and lower the visibility.
2. "static final" arrays should be "private" => Make the arrays private
3. "public static" fields should be constant => Make the respective field final
4. "enum" fields should not be publicly mutable => Lower the visibility of the setter. Remove it altogether.
Some of the issues were fixed in FINERACT-436 [3]. The rest should be covered in this ticket.
[1] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
[2] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
[3] https://github.com/apache/fineract/pull/343