You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Methods return values to signify failure or success, at other times, to update the caller's objects or fields. Security risks can arise if return values are simply ignored or if suitable action is not taken on their receipt.

Non-Compliant Code Example

This non-compliant code example ignores the return value while making use of the String.replace method. As a result, the original string is not updated even though it seems otherwise.

public class Ignore {
  public static void main(String[] args) {
    String original = "insecure";
    original.replace( 'i', '9' );
    System.out.println (original);
  }
}

Compliant Solution

The compliant solution correctly updates the original string object by assigning to it the return value.

public class DoNotIgnore {
  public static void main(String[] args) {
    String original = "insecure";
    original = original.replace( 'i', '9' );
    System.out.println (original);
  }
}

Risk Assessment

Ignoring method return values may lead to erroneous computation which, in turn, may lead to security risks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP02-J

medium

probable

medium

P??

L??

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Green 08]] "String.replace"
[[API 06]] String.replace

  • No labels