Arrays do not override Object's equals() method. Consequently, the default implementation of the equals() method simply compares the array references instead of the contents of the arrays. If only the references need to be compared, it is better to use relational operators, such as == and !=. Vulnerabilities can result, for instance, when two arrays containing signers are compared incorrectly.
Noncompliant Code Example
This noncompliant code example incorrectly uses the Object.equals() method to compare two arrays.
int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 arr1.equals(arr2); // false
Compliant Solution
This compliant solution compares the two arrays using the two-argument Arrays.equals() method.
Arrays.equals(arr1, arr2); // true
Risk Assessment
Using the equals method or relational operators to compare array contents can produce incorrect results.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
EXP33- J |
low |
likely |
low |
P9 |
L2 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[API 06]]
FIO36-J. Do not create multiple buffered wrappers on an InputStream 09. Input Output (FIO) 09. Input Output (FIO)