Sometimes null is returned intentionally to account for zero available instances. This practice can lead to vulnerabilities when the client code does not handle the null return case.
Non-Compliant Code Example
The erroneous behavior is caused due to the server returning null while the client forgets to add in a check for such a value. This non-compliant example shows how the check item != null condition is missing from the if condition in class Client.
class Inventory {
private static int[] item;
public Inventory() {
item = new int[20]
}
public static int[] getStock() {
if(item.length == 0)
return null;
else
return item;
}
}
public class Client {
public static void main(String[] args) {
Inventory iv = new Inventory();
int[] item = Inventory.getStock();
if (Arrays.asList(item[1]).contains(1)) {
System.out.println("Almost out of stock!" + item);
}
}
}
Compliant Solution
This compliant solution eliminates the null return and simply returns the item array as is even if it is zero-length. The client can effectively handle this situation without exhibiting erroneous behavior. Be careful that the client does not try to access individual elements of a zero-length array such as item[1] while following this recommendation.
class Inventory {
private static int[] item;
public Inventory() {
item = new int[20];
item[2] = 1; //quantity of item 2 remaining is 1, almost out!
}
public static int[] getStock() {
return item;
}
}
public class Client {
public static void main(String[] args) {
Inventory iv = new Inventory();
int[] item = Inventory.getStock();
if (Arrays.asList(item[1]).contains(1)) {
System.out.println("Almost out of stock!" + item);
}
}
}