SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 54

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 55

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
Methods return values to communicate failure or success and, at other times, to update the caller'slocal objects or fields. Security risks can arise when method return values are ignored or when the invoking method fails to take suitable action on its receipt. When getter methods are named after an action, such as {{ProcessBuilder.redirectErrorStream()}}, a programmer could fail to realize that a return value is expected. Note that the only purpose of the {{ProcessBuilder.redirectErrorStream()}} method is to report via its return value whether the process builder successfully merges standard error and standard output;. theThe method that actually performs redirection of the error stream is the overloaded single-argument version. It is important to read the API documentation so that return values are not ignored.

{mc}
Another example is ignoring the return value from add() on a HashSet. If duplicate, false will be returned.
{mc}

h2. Noncompliant Code Example (File Deletion)

This noncompliant code example attempts to delete a file, but fails to check whether the operation has succeeded.

{code:bgColor=#FFcccc}
  File someFile = new File("someFileName.txt");
  // do something with someFile
  someFile.delete();
{code}

h2. Compliant Solution 

This compliant solution checks the ({{boolean}}) value returned by the {{delete()}} method and handles errors as appropriate.

{code:bgColor=#ccccff}
  File someFile = new File("someFileName.txt");
  // do something with someFile
  if (!someFile.delete()) {
    // handle failure to delete the file
  }
{code}

h2. Noncompliant Code Example (String Replacement)

This noncompliant code example ignores the return value of the {{String.replace()}} method, failing to update the original string. The {{String.replace()}} method cannot modify the state of the {{String}} (because {{String}} objects are immutable); rather, it returns a reference to a new {{String}} object containing the desired result.

{code:bgColor=#FFcccc}
public class Ignore {
  public static void main(String[] args) {
    String original = "insecure";
    original.replace( 'i', '9' );
    System.out.println(original);
  }
}
{code}

h2. Compliant Solution

This compliant solution correctly updates the {{String}} reference {{original}} with the return value from the {{String.replace}} method.

{code:bgColor=#ccccff}
public class DoNotIgnore {
  public static void main(String[] args) {
    String original = "insecure";
    original = original.replace( 'i', '9' );
    System.out.println(original);
  }
}
{code}

See also guideline [FIO02-J. Keep track of bytes read and account for character encoding while reading data].

h2. Risk Assessment

Ignoring method return values can lead to unanticipated program behavior.

|| Guideline || Severity || Likelihood || Remediation Cost || Priority || Level ||
| EXP00-J | medium | probable | medium | {color:#cc9900}{*}P8{*}{color} | {color:#cc9900}{*}L2{*}{color} |


h3. Automated Detection

The Coverity Prevent Version 5.0 *CHECKED_RETURN* checker can detect the instance where Value returned from a function is not checked for errors before being used.

h3. Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+EXP02-J].

h2. Related Guidelines

C Secure Coding Standard: [seccode:EXP12-C. Do not ignore values returned by functions]

C+\+ Secure Coding Standard: [cplusplus:EXP12-CPP. Do not ignore values returned by functions or methods]

h2. Related Guidelines

[MITRE CWE|http://cwe.mitre.org/]: [CWE-252|http://cwe.mitre.org/data/definitions/252.html] "Unchecked Return Value"

h2. Bibliography

\[[API 2006|AA. Bibliography#API 06]\] method [delete()|http://java.sun.com/javase/6/docs/api/java/io/File.html#delete()] and method [replace()|http://java.sun.com/javase/6/docs/api/java/lang/String.html#replace(char,%20char)]
\[[Green 2008|AA. Bibliography#Green 08]\] ["String.replace"|http://mindprod.com/jgloss/gotchas.html]
\[[Pugh 2009|AA. Bibliography#Pugh 09]\] misusing putIfAbsent


----
[!The CERT Oracle Secure Coding Standard for Java^button_arrow_left.png!|04. Expressions (EXP)]      [!The CERT Oracle Secure Coding Standard for Java^button_arrow_up.png!|04. Expressions (EXP)]      [!The CERT Oracle Secure Coding Standard for Java^button_arrow_right.png!|EXP01-J. Do not confuse abstract object equality with reference equality]