...
| Code Block | ||
|---|---|---|
| ||
public void copyInterfaceInput(Collection<String> collection) {
// convert input to trusted implementation
collection = new ArrayList(collection);
doLogic(collection);
}
|
Some objects appear to be immutable because they have no mutator methods. For example, the java.lang.CharacterSequence interface describes an immutable sequence of characters. It should be noted that if the underlying implementation on which the CharacterSequence is based changes, the value of the CharacterSequence also changes. Such objects must be defensively copied before use. Using the toString() method to make them immutable, before passing as parameters, is also permissible.
Risk Assessment
Failing to create a copy of a mutable input may enable an attacker to exploit a TOCTOU vulnerability and at other times, expose internal mutable components to untrusted code.
...