Sometimes null is returned intentionally to account for zero available instances. This practice can lead to vulnerabilities when the client code does not handle the null return case.
Non-Compliant Code Example
The erroneous behavior is caused due to the server returning null while the client forgets to add in a check for such a values. This non-compliant example shows how the check item != null is missing from the condition in class Client.
class Inventory {
private static int[] item;
public Inventory() {
item = new int[20]
}
public static int[] getStock() {
if(item.length == 0)
return null;
else
return item;
}
}
public class Client {
public static void main(String[] args) {
Inventory iv = new Inventory();
int[] item = Inventory.getStock();
if (item[1] == 1 ) {
System.out.println("Almost out of stock!" + item);
}
}
}
Compliant Solution
class Inventory {
private static int[] item;
public Inventory() {
item = new int[20]
}
public static int[] getStock() {
if(item.length == 0)
//handle error
else
return item; //even if it is zero-length, return as is
}
}
public class Client {
public static void main(String[] args) {
Inventory iv = new Inventory();
int[] item = Inventory.getStock();
if (item[1] == 1 ) {
System.out.println("Almost out of stock!" + item);
}
}
}