...
This compliant solution avoids the TOCTOU vulnerability by copying the mutable input and then perform all operations on the copy. Consequently, an attacker's changes to the mutable input cannot affect copy. Acceptable techniques include using a copy constructor or implementing the java.lang.Cloneable
interface and declaring a public
clone method (for classes not declared as final
. In cases where the mutable class is declared final
— that is, it cannot provide an accessible copy method — perform a manual copy of the object state within the caller. See guideline OBJ10OBJ08-J. Provide mutable classes with copy functionality to allow passing instances to untrusted code safely for more information. Note that any input validation must be performed on the copy and not on the original object.
...