Skip to content

Fix #24 - Limit the extensibility of classes and methods #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix #24 - Limit the extensibility of classes and methods #26

wants to merge 2 commits into from

Conversation

@OlivierJaquemet
Copy link
Contributor

@OlivierJaquemet OlivierJaquemet commented Feb 26, 2020

Apply Guideline 4-5 / EXTEND-5: Limit the extensibility of classes and
methods from the Secure Coding Guidelines for Java SE
https://www.oracle.com/technetwork/java/seccodeguide-139067.html#4-5

(reported by running VisualCodeGrepper
https://github.com/nccgroup/VCG/blob/master/VisualCodeGrepper/modJavaCheck.vb#L318
)

@OlivierJaquemet
Fix #24 - Limit the extensibility of classes and methods
b3bd9e7 
Apply Guideline 4-5 / EXTEND-5: Limit the extensibility of classes and
methods from the Secure Coding Guidelines for Java SE
https://www.oracle.com/technetwork/java/seccodeguide-139067.html#4-5
@samdjstevens
Copy link
Owner

samdjstevens commented Feb 26, 2020

Thanks for the PR - I'm not 100% this is needed/beneficial. Whilst it does improve security and composition should be favoured over inheritence generally, is it being too restrictive by not allowing consumers to override RecoveryCodeGenerator for example?

@OlivierJaquemet
Copy link
Contributor Author

OlivierJaquemet commented Feb 26, 2020

@samdjstevens honestly, I'm not sure either I should have made all classes final.
As stated in the Secure Coding Guidelines, we have two choices "Design classes and methods for inheritance or declare them final"...
So I have absolutely no problem in reverting some of them !!

I may have been a little overzealous :p

@OlivierJaquemet
final classes : allow inheritance for default implementation classes
dafb15d 
Be a little more openminded in applying
Guideline 4-5 / EXTEND-5: Limit the extensibility of classes and
methods from the Secure Coding Guidelines for Java SE
https://www.oracle.com/technetwork/java/seccodeguide-139067.html#4-5

Rule is :
"Design classes and methods for inheritance" or "declare them final"
This commit reverts use of final classes for default implementation
of as it was clearly design for inheritance and should be kept this way
@OlivierJaquemet
Copy link
Contributor Author

OlivierJaquemet commented Feb 28, 2020

PR updated to revert use of final keyword for all classes which could be subclassed.

@samdjstevens
Copy link
Owner

samdjstevens commented Mar 1, 2020

Appreciate the work on this, but because these changes would require a new major version (non backwards compatible API changes) I think I'm going to hold off merging until other breaking changes are introduced into the library. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

on-hold

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OlivierJaquemet @samdjstevens