Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

Java defines equality operators == and != and relational operators such as <=,>=,>,<. When it comes to string object reference comparisons, these manifest as traps that an amateur programmer may unintentionally fall victim to.

Noncompliant Code Example

For == to return true for two string references, they must point to the same underlying object. This noncompliant example declares two different string objects with the same values, however, they compare unequal since they constitute different object references.

Code Block
bgColor#FFcccc
public class BadComparison {
  public static void main(String[] args) {
    String one = new String("one");
    String two = new String("one");
    if(one == two)
      System.out.println("Equal"); //not printed
  }
}

Compliant Solution 1

To be compliant, use the object1.equals(object2) method when comparing string values.

Code Block
bgColor#ccccff
public class GoodComparison {
  public static void main(String[] args) {
    String one = new String("one");
    String two = new String("one");
    boolean result;
    if (one == null){
    	result = two == null;
    }
    else{
    	result = one == two || one.equals(two);
    }
   System.out.println(result);
  }
}

The mentioned operators now seemingly work while dealing with string literals that have constant values (such as in String one = "one" and String two = "two". or when the intern method has been used on both strings to compare pointer references. (See Compliant Solution 2)

Compliant Solution 2

If it is desired to keep only one copy of the string in memory, perform quick repeated comparisons and ensure that string1.equals(string2) is true, the following Compliant Solution may be used.

Code Block
bgColor#ccccff
public class GoodComparison {
  public static void main(String[] args) {
    String one = new String("one");
    String two = new String("one");
    boolean result;
    if (one != null){
    	one = one.intern();
    }
    if (two != null){
    	two = two.intern();
    }
    result = one == two;

   System.out.println(result);
  }
}

Note however, that the performance gains achieved by doing so may be meeker than the benefits of having more robust code that also takes non-constant and non-interned values. Moreover, such behavior encourages ambiguity that hinders selection of proper methods for comparing String objects.

Wiki Markup
In general, for any two objects, it is permissible to compare their elements provided that the class is a singleton. The use of static factory methods over constructors facilitates instance control which in turn limits the effective number of instances of an immutable class to one. As a result, for two objects a and b, a.equals(b) is true only when a==b \[[Bloch 08|AA. Java References#Bloch 08]\]. The {{String}} class does not possess these characteristics.

Risk Assessment

Using the equality or relational operators to compare objects may lead to unexpected results.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP03- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] [Section 3.10.5, String Literals|http://java.sun.com/docs/books/jls/third_edition/html/lexical.html#3.10.5]
\[[FindBugs 08|AA. Java References#FindBugs 08]\] ES: Comparison of String objects using == or \!=
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 595|http://cwe.mitre.org/data/definitions/595.html] "Incorrect Syntactic Object Comparison", [CWE ID 597|http://cwe.mitre.org/data/definitions/597.html] "Use of Wrong Operator in String Comparison"


EXP02-J. Do not ignore values returned by methods      03. Expressions (EXP)      EXP04-J. Be wary of invisible implicit casts when using compound assignment operators