Java – PMD for inferring arrayisredreddirectly direct rules

Java

PMD has a rule named arrayisstoreddirectly in the sun security rule set:

This is their example:

public class Foo {
 private String [] x;
  public void foo (String [] param) {
      // Don't do this,make a copy of the array at least
      this.x=param;
  }
}

I don't think I fully understand the reasons behind this rule Is it because the values in the passed array can be changed elsewhere? What is the difference between passing a collection and passing an array?

Solution

The problem is that the caller can keep a copy of the array parameters it passes, and then change their contents If an object is security critical and is invoked through untrusted code, there is a security vulnerability

In this case, passing the collection and saving it without copying it will also be a potential security risk (I don't know if there are PMD rules to tell you this.)

In both cases, the solution to the risk (if true) is to set the property to a copy of the parameter array or collection On the other hand, if you know that the caller is always trusted code, then this copy is a waste of time. A better solution is to tell PMD to be quiet about this specific method

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>