Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AndHow.getGroupForProperty breaks security model by allowing GroupProxy access #624

Closed
eeverman opened this issue Sep 28, 2021 · 1 comment
Closed

AndHow.getGroupForProperty breaks security model by allowing GroupProxy access #624

eeverman opened this issue Sep 28, 2021 · 1 comment
Assignees
@eeverman
Labels
API Change bug
Milestone
0.4.2

Comments

@eeverman
Copy link
Owner

eeverman commented Sep 28, 2021
edited

Describe the bug
AndHow is supposed to enforce the same scope model as Java: If code cannot 'see' the Property, it cannot access its value. The AndHow.getGroupForProperty method creates a backdoor by which application can see Properties that it wouldn't normally have access to and thus read the value of those properties. Here is an example:

public class MyClass {
  private StrProp MySecret....
  public StrProp PublicProp...
}
... somewhere else ...
{
  //This returns a list including MySecret, allowing access to its value
  AndHow. getGroupForProperty(PublicProp).getProperties();
}

There is no reason for this method on the AndHow class - Application code never needs to know which class contained a Property and it shouldn't care.

AndHow has this method because it implements the StaticPropertyConfiguration interface. There is an internal version of this interface, so this method was moved there (StaticPropertyConfigurationInternal).
@eeverman eeverman mentioned this issue Sep 28, 2021
Merged
5 tasks
@eeverman eeverman self-assigned this Sep 28, 2021
@eeverman eeverman added this to the 0.4.2 milestone Sep 28, 2021
@eeverman eeverman mentioned this issue Sep 28, 2021
Open
@eeverman eeverman changed the title AndHow.getGroupForProperty breaks security model and should be removed AndHow.getGroupForProperty breaks security model by allowing GroupProxy access Sep 28, 2021
@eeverman
Copy link
Owner Author

fixed by #623

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eeverman eeverman

Labels
API Change bug
Projects
None yet
Milestone
0.4.2
Development

No branches or pull requests
1 participant
@eeverman