Sometimes null is returned intentionally to account for zero available instancesSome APIs intentionally return a null reference to indicate that instances are unavailable. This practice can lead to denial-of-service vulnerabilities when the client code does not fails to explicitly handle the null return value case.
Noncompliant Code Example
. A null value is an example of an in-band error indicator, which is discouraged by ERR52-J. Avoid in-band error indicators. For methods that return a set of values using an array or collection, returning an empty array or collection is an excellent alternative to returning a null value, as most callers are better equipped to handle and empty set than a null value.
Noncompliant Code Example
This noncompliant code example returns a null ArrayList when the size of the ArrayList is 0. The class Inventory contains a getStock() method that constructs a list of items that have 0 inventory and returns the list of items to the caller. The erroneous behavior is caused due to the server returning null while the client forgets to add in a check for such a value. This noncompliant example shows how the check item != null condition is missing from the if condition in class Client.
| Code Block | ||
|---|---|---|
| ||
class Inventory { private final static int[] itemHashtable<String, Integer> items; public Inventory() { itemitems = new int[20] Hashtable<String, Integer>(); } public static int[] getStock( List<String> getStock() { List<String> stock = new ArrayList<String>(); Enumeration itemKeys = items.keys(); while (itemKeys.hasMoreElements()) { if(item.length Object value = itemKeys.nextElement(); if((items.get(value)) == 0) { stock.add((String)value); } } if(items.size() == 0) { return null; } else { return itemstock; } } } public class Client { public static void main(String[] args) { Inventory ivinv = new Inventory(); List<String> int[] item items = Inventoryinv.getStock(); if (Arrays.asList(item[1]).contains(1)) { System.out.println("Almost out of stock!" + itemitems.size()); } } } |
Compliant Solution
| Wiki Markup |
|---|
This compliant solution eliminates the {{null}} return and simply returns the {{item}} array as is even if it is zero-length. The client can effectively handle this situation without exhibiting erroneous behavior. Be careful that the client does not try to access individual elements of a zero-length array such as {{item\[1\]}} while following this recommendation. |
}
|
When the size of this list is 0, a null value is returned with the assumption that the client will install the necessary checks. In this code example, the client lacks any null value check, causing a NullPointerException at runtime.
Compliant Solution
Instead of returning a null value, this compliant solution simply returns the List, even when it is empty.
| Code Block | ||
|---|---|---|
| ||
class Inventory {
private final Hashtable<String, Integer> items;
public Inventory() {
items = new Hashtable<String, Integer>();
}
public List<String> getStock() {
List<String> stock = new ArrayList<String>();
Integer noOfItems; // Number of items left in the inventory
Enumeration itemKeys = items.keys();
while (itemKeys.hasMoreElements()) {
Object value = itemKeys.nextElement();
if((noOfItems = items.get(value)) == 0) {
stock.add((String)value);
}
} | ||
| Code Block | ||
| ||
class Inventory { private static int[] item; public Inventory() { item = new int[20]; item[2] = 1; //quantity of item 2 remaining is 1, almost out! } public static int[] getStock() { return item;stock; // Return list (possibly zero-length) } } public class Client { public static void main(String[] args) { Inventory ivinv = new Inventory(); int[]List<String> itemitems = Inventoryinv.getStock(); System.out.println(items.size()); } } |
The client can handle this situation effectively without being interrupted by runtime exceptions. When returning arrays rather than collections, ensure that the client avoids attempts to access individual elements of a zero-length array. This prevents an ArrayOutOfBoundsException from being thrown.
Compliant Solution
This compliant solution returns an explicit empty list, which is an equivalent, permissible technique.
| Code Block | ||
|---|---|---|
| ||
public List<String> getStock() { List<String> stock = ifnew (Arrays.asList(item[1]).contains(1ArrayList<String>(); Integer noOfItems; // Number of items left in the inventory Enumeration itemKeys = items.keys(); while (itemKeys.hasMoreElements()) { Object value System.out.println("Almost out of stock!" + item); }= itemKeys.nextElement(); if((noOfItems = items.get(value)) == 0) { stock.add((String)value); } } if(l.isEmpty()) { return Collections.EMPTY_LIST; // Always zero-length } else { return stock; // Return list } } // Class Client ... |
...
Applicability
Returning a null value rather than a zero-length array or collection may lead to denial-of-service vulnerabilities when the client code does not fails to handle null return values properly.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MET03-J | low | unlikely | high | P1 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 43: return empty arrays or collections, not nulls |
Automatic detection is straightforward; fixing the problem typically requires programmer intervention.
Automated Detection
Bibliography
| [Bloch 2008] | Item 43, "Return Empty Arrays or Collections, Not Nulls" |
...
MET02-J. Avoid ambiguous uses of overloading 09. Methods (MET) MET30-J. Follow the general contract while overriding the equals method