...
This guideline is a specific instance of OBJ58-JG. Do not rely on overridden methods provided by untrusted code.
Noncompliant Code Example
This noncompliant code example defines a validateValue() method that validates a time value:
...
| Code Block | ||
|---|---|---|
| ||
private void storeDateInDB(java.util.Date date) throws SQLException {
final java.util.Date copy = new java.util.Date(date.getTime());
if (validateValue(copy.getTime())) {
Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>");
PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
pstmt.setLong(1, copy.getTime());
// ...
}
}
|
Applicability
Using the clone() method to copy untrusted arguments affords attackers the opportunity to bypass validation and security checks.
Bibliography
...