Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageSpring component introduces unmanaged stateJAVA-S1060
Critical
SecuritySpring components should not introduced unmanaged state variables (fields not managed by Spring).
Spring components such as @Component, @Controller, @Service, and @Repository are supposed to be singletons by default.
This means that no more than one instance of such classes must exist in an application. Furthermore, the state of these classes
is managed by the Spring container.
Non-injected properties in such classes could indicate an attempt to manage state. This introduces the risk of exposing data to clients that
shouldn't have access to such data. For example, one might accidentally allow User1 to access User2's session if such patterns are followed throughout the source code.
Bad Practice
@Component
public class MyComponent {
private Service someService;
}
Recommended
Consider injecting these fields manually.
@Component
public class MyComponent {
@Autowired
private final Service someService;
}
Alternatively, use constructor injection to inject dependencies.
@Component
public class MyComponent {
private final Service someService;
@Autowired
public MyComponent(Service someService) {
this.someService = someService;
}
}
References
- CWE-488 - Exposure of Data Element to Wrong Session
- OWASP Top Ten 2021 - Category A01 - Broken Access Control
- OWASP Top Ten 2021 - Category A04 - Insecure Design
- Spring Blog - Setter vs Construction Injection