...
| Code Block | ||
|---|---|---|
| ||
public List<String> getStock() {
List<String> stock = new ArrayList<String>();
Integer noOfItems; // Number of items left in the inventory
Enumeration itemkeys = items.keys();
while(itemkeys.hasMoreElements()) {
Object value = itemKeys.nextElement();
if((noOfItems = items.get(value)) == 0) {
stock.add((String)value);
}
}
if(l.isEmpty()) {
return Collections.EMPTY_LIST; // Always zero-length
} else {
return stock; // Return list
}
}
// Class Client ...
|
...
Applicability
Returning null rather than a zero-length array may lead to denial-of-service vulnerabilities when the client code does not handle null properly.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MET55-JG | low | unlikely | high | P1 | L3 |
...
Automatic detection is straightforward but fixing the problem will, most probably, require human intervention.
Related Guidelines
C Secure Coding Standard: MSC19-C. For functions that return an array, prefer returning an empty array over a null value
Bibliography
[Bloch 2008] Item 43: Return empty arrays or collections, not nulls
...