Java Reference
In-Depth Information
public AtomicReferenceArray(E[] array) {
// Visibility guaranteed by final field guarantees
this.array = Arrays.copyOf(
array, array.length, Object[].class);
}
Applicability
Using the
clone()
method to copy untrusted arguments affords attackers the opportunity
to execute arbitrary code.
Bibliography
[Long 2012]
OBJ06-J. Defensively copy mutable inputs and mutable internal components
[Sterbenz 2006]
Secure Coding Antipatterns: Avoiding Vulnerabilities
11. Do not use
Object.equals()
to compare cryptographic keys
The method
java.lang.Object.equals()
, by default, is unable to compare composite
objects such as cryptographic keys. Most
Key
classes fail to provide an
equals()
imple-
mentation that overrides
Object.equals()
. In such cases, the components of the com-
posite object must be compared individually to ensure correctness.
Noncompliant Code Example
This noncompliant code example compares two keys using the
equals()
method. The
keys may compare as unequal even when they represent the same value.
private static boolean keysEqual(Key key1, Key key2) {
if (key1.equals(key2)) {
return true;
}
return false;
}
