Changing or bypassing accessibility is security-sensitive. For example, it has led in the past to the following vulnerability:

private methods were made private for a reason, and the same is true of every other visibility level. Altering or bypassing the accessibility of classes, methods, or fields violates the encapsulation principle and could introduce security holes.

This rule raises an issue when reflection is used to change the visibility of a class, method or field, and when it is used to directly update a field value.

Ask Yourself Whether

* You are at risk if you answered yes to those questions.

Recommended Secure Coding Practices

Don't change or bypass the accessibility of any method or field if possible.

If untrusted code can execute this method, make sure that it cannot decide which method or field's accessibility can be modified or bypassed.

Untrusted code should never have direct access to the java Reflection API. If this method can do it, make sure that it is an exception. Use ClassLoaders and SecurityManagers in order to sandbox any untrusted code and forbid access to the Reflection API.

Sensitive Code Example

public void makeItPublic(String methodName) throws NoSuchMethodException {

  this.getClass().getMethod(methodName).setAccessible(true); // Sensitive
}

public void setItAnyway(String fieldName, int value) {
  this.getClass().getDeclaredField(fieldName).setInt(this, value); // Sensitive; bypasses controls in setter
}

See