Page History

...

Returning references to an object's internal mutable components provides an attacker with the opportunity to corrupt the state of the object. Consequently, accessor methods must return defensive copies of internal mutable objects (see rule OBJ05-J. Defensively copy private mutable class members before returning their references for more information).

Noncompliant Code Example

...

This compliant solution demonstrates correct use both of a shallow copy (for the array of int) and of a deep copy (for the array of cookies).

  public void deepCopy(int[] ints, HttpCookie[] cookies) {
    if (ints == null || cookies == null) {
      throw new NullPointerException();
    }

    // Shallow copy
    int[] intsCopy = ints.clone();

    // Deep copy
    HttpCookie[] cookiesCopy = new HttpCookie[cookies.length];
    for (int i = 0; i < cookies.length; i++) {
      // Manually create copy of each element in array
      cookiesCopy[i] = (HttpCookie)cookies[i].clone();
    }
 
    doLogic(intsCopy, cookiesCopy);
}

...

// java.util.Collection is an interface
public void copyInterfaceInput(Collection<String> collection) {
  doLogic(collection.clone());
}

Compliant Solution

This compliant solution protects against potential malicious overriding by creating a new instance of the nonfinal mutable input, using the expected class rather than the class of the potentially malicious provided objectargument. The newly created instance can be forwarded to any code capable of modifying it.

...

...