668 public static float mechazombie_ranged_damage = 3;
669
670 @Entry
671 public static double gorenest_health = 5;672}
665 @Entry
666 public static double mechazombie_health = 25;
667 @Entry
668 public static float mechazombie_ranged_damage = 3;669
670 @Entry
671 public static double gorenest_health = 5;
663 public static float possessed_soldier_ranged_damage = 2;
664
665 @Entry
666 public static double mechazombie_health = 25;667 @Entry
668 public static float mechazombie_ranged_damage = 3;
669
660 @Entry
661 public static double possessed_soldier_health = 15;
662 @Entry
663 public static float possessed_soldier_ranged_damage = 2;664
665 @Entry
666 public static double mechazombie_health = 25;
658 public static double possessed_scientist_melee_damage = 2;
659
660 @Entry
661 public static double possessed_soldier_health = 15;662 @Entry
663 public static float possessed_soldier_ranged_damage = 2;
664
This code contains a public static field which is not final, or is mutable even when declared as final.
Consider making the field private, as it is possible that such a field could be manipulated to produce unintended results.
Here, the NUM_RETRIES
field could be manipulated to perform a Denial of Service (DoS) attack when set to some very high number.
class SomeClass {
public static int NUM_RETRIES = 3;
}
// Elsewhere...
SomeClass someObj = ...;
SomeClass.NUM_RETRIES = Integer.MAX_VALUE; // This could make an application hang!
There are multiple ways to avoid this, and you must choose the best method as per your requirements.
Make the field final
If you do not need the field to be mutable, consider just making it final:
public static final int NUM_RETRIES = 3;
Make the field private
If you require the field to be mutable, consider making the field private. If you also need to expose the field to API consumers, consider adding a static or instance getter method for the field:
private static int NUM_RETRIES = 3;
// Static getter
public static final int getNumRetries() {
return NUM_RETRIES;
}
// Instance getter, only usable when we have an instance of this class created.
public final int getNumRetries() {
return NUM_RETRIES;
}
If you also need to be able to set the value, make sure to sanitize the assigned data. You could check if the retry value is within a maximum permissible limit (MAX_NUM_RETRIES
) and if the assigned value is below 0 or above the maximum limit, clamp that value to within those limits.
public static final void setNumRetries(int retries) {
// clamp retries to within the range 0 to MAX_NUM_RETRIES.
retries = (retries > MAX_NUM_RETRIES) ? MAX_NUM_RETRIES : ((retries < 0) ? 0 : retries);
NUM_RETRIES = retries;
}