提到私人班级成员怎么会很危险 [英] How can references to private class members be dangerouse

问题描述

我目前正在阅读 CERT Java安全编码标准.

我正在为此

I am struggling with this rule. The severity of this rule is high, which means a violation of this rule can lead to a privilege escalation or execution of code.

我真的不了解如何违反此规则会导致如此致命的事情.有人可以举例说明对违反此规则的代码的攻击吗?

I don't really understand how a violation of this rule can lead to such fatal things. Can somebody make an example of an attack on a code which violates this rule?

推荐答案

您可能有一个在类的构造函数中建立的不变式，例如date包含实例的创建时间:

You might have an invariant which you establish in the constructor of the class, e.g. that date contains the creation time of the instance:

class Foo {
  private final Date date;

  Foo() { this.date = new Date(); }

  Date getDate() { return date; }
}

现在，如果我调用getDate().setTime(0)，则可以使该实例看起来像它是在1970-1-1 00:00:00Z中创建的.

Now, if I call getDate().setTime(0), I can make the instance look like it was created at 1970-1-1 00:00:00Z.

如果基于Foo的创建日期有一些逻辑，则可以通过这种方式来操纵它以表现出不同的行为.

If you have some logic based on the creation date of a Foo, it can be manipulated to behave differently in this way.

这篇关于提到私人班级成员怎么会很危险的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！