Application code that calls security-sensitive methods must validate the arguments being passed to the methods. In particular, null values may be interpreted as benign by certain security-sensitive methods and may override default settings. Although security-sensitive methods must be coded defensively in the first place, sometimes the onus must be is on the client code to validate the arguments it provides. Failure to do so can result in privilege escalation and execution of arbitrary code.
...