Java 1.5 supports use of enumerated types, these enums look just like their C and C++ counterparts. But, in Java programming language enums are far more powerful than their counterparts in other languages, which are little more than glorified integers. All enums language enumeration types have an ordinal() method , which that returns the numerical position of each enum enumeration constant in its type.
Java Language Specification, in Section 8.9, "Enums" does not specify the use of ordinal() in programs. Improper use of ordinal() method in program logic can cause errors in programs.
class declaration.
According to the Java API, Class Enum<E extends Enum<E>> [API 2011], public final int ordinal()Wiki Markup
returns the ordinal of the enumeration constant (its position in its enum declaration, where the initial constant is assigned an ordinal of zero). Most programmers will have no use for this method. It is designed for use by sophisticated enum-based data structures, such as
EnumSetandEnumMap.
It defines The Java Language Specification, §8.9, "Enums" [JLS 2013], does not specify the use of ordinal() as a helper function to sophisticated enum-based data-structures EnumSet and EnumMap. Poor understanding of ordinal generally causes errors in the programs in programs. However, attaching external significance to the ordinal() value of an enum constant is error prone and should be avoided for defensive programming.
Noncompliant Code Example
...
This noncomplaint noncompliant code example declares enum HydroCarbonsHydrocarbon and uses its ordinal() method to find the attribute, numberOfCarbons, of enum constants.provide the result of the getNumberOfCarbons() method:
| Code Block | ||
|---|---|---|
| ||
enum HydroCarbonHydrocarbon { METHANE, ETHANE, PROPANE, BUTANE, PENTANE, HEXANE, HEPTANE, OCTANE, NONANE, DECANE; public int getNumberOfCarbons() { return ordinal() + 1; } } public class TestHC { public static void main(String args[]) { ... HydroCarbon hc = HydroCarbon.HEXANE; int index = hc.getNumberOfCarbons(); int noHyd = NumberOfHydrogen[index]; // Can cause ArrayIndexOutOfBoundsException } } |
Although this noncompliant code example behaves as expectedWhile the enum code above generally works, its maintenance is susceptible likely to vulnerabilitiesbe problematic. If the enum constants are were reordered, getNumberOfCarbon method does not return right the getNumberOfCarbons() method would return incorrect values. Also, if we add BENZENE (number of carbons = 6) to the enum, it is not clear where it needs to be added and causes more errors in the programFurthermore, adding an additional BENZENE constant to the model would break the invariant assumed by the getNumberOfCarbons() method because benzene has six carbons, but the ordinal value 6 is already taken by HEXANE.
Compliant Solution
In this compliant solution, we explicitly associate enum constants are explicitly associated with the corresponding integer values .for the number of carbon atoms they contain:
| Code Block | ||
|---|---|---|
| ||
enum HydroCarbonHydrocarbon { METHANE(1), ETHANE(2), PROPANE(3), BUTANE(4), PENTANE(5), HEXANE(6), BENZENE(6), HEPTANE(7), OCTANE(8), NONANE(9), DECANE(10); private final int numberOfCarbons; HydroCarbonsHydrocarbon(int carbons) { this.numberOfCarbons = carbons; } public int getNumberOfCarbons() { return numberOfCarbons; } } |
The getNumberOfCarbons() method no longer uses the ordinal() to discover the number of carbon atoms for each value. Different enum constants may be associated with the same value, as shown for HEXANE and BENZENE. Furthermore, this solution lacks any dependence on the order of the enumeration; the getNumberOfCarbons() method would continue to work even if the enumeration were reordered.
Applicability
It is acceptable to use the ordinals associated with an enumerated type when the order of the enumeration constants is standard and extra constants cannot be added. For example, the use of ordinals is permitted with the following enumerated type:
| Code Block |
|---|
public enum Day { SUNDAY, MONDAY, TUESDAY, returnWEDNESDAY, numberOfCarbons; THURSDAY, FRIDAY, SATURDAY } } |
Risk Assessment
In general, use Use of ordinals to derive integer values reduces the program's maintainability and leads can lead to errors in the program.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL11-J | low | probable | medium | P4 | L3 |
Related Guidelines
C Secure Coding Standard: INT09-C. Ensure enumeration constants map to unique values
C++ Secure Coding Standard: INT09-CPP. Ensure enumeration constants map to unique values
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
Bibliography
[API 2013] | |
| [Bloch 2008] | Item 31, "Use Instance Fields Instead of Ordinals" |
| [JLS 2013] | §8.9, "Enums" |
...
Wiki Markup