Reasoning behind ArrayIsStoredDirectly rule of PMD

java security code-analysis pmd
Wilhelm Kleu picture Wilhelm Kleu · Jul 23, 2010 · Viewed 9k times · Source

PMD has a rule called ArrayIsStoredDirectly in the Sun Security ruleset:

Constructors and methods receiving arrays should clone objects and store the copy. This prevents that future changes from the user affect the internal functionality.

Here is their example:

public class Foo {
 private String [] x;
  public void foo (String [] param) {
      // Don't do this, make a copy of the array at least
      this.x=param;
  }
}

I don't think I completely understand the reasoning behind this rule. Is it because the values in the array passed can be altered somewhere else? Is there a difference between passing a Collection vs passing an array in regards to this?

Answer

Stephen C picture Stephen C · Jul 23, 2010

The problem is that the caller may keep a copy of the array argument that it passed, and can then change its contents. If the object is security critical and the call is made from untrusted code, you've got a security hole.

In this context, passing a collection and saving it without copying it would also be a potential security risk. (I don't know if there's a PMD rule to tell you this.)

In both cases, the way to address the risk (if it is real) is to set the attribute to a copy of the argument array or collection. On the other hand, if you know that the caller is always going to be trusted code, the copy is a waste of time, and a better solution would be to tell PMD to be quiet about that particular method.

Related questions

How to sanitize and validate user input to pass a Checkmarx scan

I have an endpoint that receives a String from the client as seen below: @GET @Path("/{x}") public Response doSomething(@PathParam("x") String x) { String y = myService.process(x); return Response.status(OK).entity(y).build(); } Checkmarx complains that this …

Read More
Java Error: "Your security settings have blocked a local application from running"

I'm trying to run this simple HelloWorld code written in Java from my browser (Chrome): public class HelloWorld extends JApplet { public void init() { try { SwingUtilities.invokeAndWait(new Runnable() { public void run() { JLabel lbl = new JLabel("Hello World"); add(lbl); } }); } catch (…

Read More
Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to …

Read More