Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
anonymous
field is set to enabled:true
.
...
kind: KubeletConfiguration
...
authentication:
anonymous:
enabled: true
...
Register
) is accessed from a web form that asks the users to register an account by providing their name and password:
public ActionResult Register(RegisterModel model)
{
if (ModelState.IsValid)
{
try
{
return RedirectToAction("Index", "Home");
}
catch (MembershipCreateUserException e)
{
ModelState.AddModelError("", "");
}
}
return View(model);
}
RegisterModel
class is defined as:
public class RegisterModel
{
[BindRequired]
[Display(Name = "User name")]
public string UserName { get; set; }
[BindRequired]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password { get; set; }
[DataType(DataType.Password)]
[Display(Name = "Confirm password")]
public string ConfirmPassword { get; set; }
public Details Details { get; set; }
public RegisterModel()
{
Details = new Details();
}
}
Details
class is defined as:
public class Details
{
public bool IsAdmin { get; set; }
...
}
Example 1
, an attacker may be able to explore the application and discover that there is a Details
attribute in the RegisterModel
model. If this is the case, the attacker may then attempt to overwrite the current values assigned to their attributes.
name=John&password=****&details.is_admin=true
<struts-config>
<form-beans>
<form-bean name="dynaUserForm"
type="org.apache.struts.action.DynaActionForm" >
<form-property name="type" type="java.lang.String" />
<form-property name="user" type="com.acme.common.User" />
</form-bean>
...
User
class is defined as:
public class User {
private String name;
private String lastname;
private int age;
private Details details;
// Public Getters and Setters
...
}
Details
class is defined as:
public class Details {
private boolean is_admin;
private int id;
private Date login_date;
// Public Getters and Setters
...
}
Example 1
, an attacker may be able to explore the application and discover that there is a details
attribute in the User
model. If this is the case, the attacker may then attempt to overwrite the current values assigned to their attributes.
type=free&user.name=John&user.lastname=Smith&age=22&details.is_admin=true
private final Logger logger =
Logger.getLogger(MyClass.class);
public class MyClass {
private final static Logger good =
Logger.getLogger(MyClass.class);
private final static Logger bad =
Logger.getLogger(MyClass.class);
private final static Logger ugly =
Logger.getLogger(MyClass.class);
...
}
Console.Out
or Console.Error
rather than a dedicated logging facility makes it difficult to monitor the program behavior.
public class MyClass {
...
Console.WriteLine("hello world");
...
}
Console.WriteLine()
.Console.WriteLine
may indicate an oversight in the move to a structured logging system.os.Stdout
or os.Stderr
rather than a dedicated logging facility makes it difficult to monitor the program behavior.
...
func foo(){
fmt.Println("Hello World")
}
fmt.Println()
.os.Stdout
or os.Stderr
might indicate an oversight in the move to a structured logging system.System.out
or System.err
rather than a dedicated logging facility makes it difficult to monitor the program behavior.
public class MyClass
...
System.out.println("hello world");
...
}
System.out.println()
.System.out
or System.err
may indicate an oversight in the move to a structured logging system.process.stdout
or process.stderr
rather than a dedicated logging facility makes it difficult to monitor the behavior of the program.
process.stdin.on('readable', function(){
var s = process.stdin.read();
if (s != null){
process.stdout.write(s);
}
});
process.stdout.write()
.process.stdout
or process.stderr
may indicate an oversight in the move to a structured logging system.print
or println
rather than a dedicated logging facility makes it difficult to monitor the program behavior.
class MyClass {
...
println("hello world")
...
}
}
print
or println
.
sys.stdout.write("hello world")
sys.stdout
or sys.stderr
may indicate an oversight in the move to a structured logging system.Kernel.puts
,Kernel.warn
or Kernel.printf
rather than a dedicated logging facility makes it difficult to monitor the behavior of the program.
...
puts "hello world"
...
Kernel.puts
.Kernel.puts
,Kernel.warn
or Kernel.printf
may indicate an oversight in the move to a structured logging system.Logger
class, but logs information to a system output stream:
require 'logger'
...
logger = Logger.new($stdout)
logger.info("hello world")
...
ERROR_CODE
is declared as public and static, but not final:
public class MyClass
{
public static int ERROR_CODE = 100;
//...
}