Changing or bypassing accessibility is security-sensitive. For example, it has led in the past to the following vulnerability:
private
methods were made private
for a reason, and the same is true of every other visibility level. Altering or
bypassing the accessibility of classes, methods, or fields violates the encapsulation principle and could introduce security holes.
This rule raises an issue when reflection is used to change the visibility of a class, method or field, and when it is used to directly update a field value.
* You are at risk if you answered yes to those questions.
Don't change or bypass the accessibility of any method or field if possible.
If untrusted code can execute this method, make sure that it cannot decide which method or field's accessibility can be modified or bypassed.
Untrusted code should never have direct access to the java Reflection API. If this method can do it, make sure that it is an exception. Use ClassLoaders and SecurityManagers in order to sandbox any untrusted code and forbid access to the Reflection API.
public void makeItPublic(String methodName) throws NoSuchMethodException { this.getClass().getMethod(methodName).setAccessible(true); // Sensitive } public void setItAnyway(String fieldName, int value) { this.getClass().getDeclaredField(fieldName).setInt(this, value); // Sensitive; bypasses controls in setter }