Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Code Correctness: Invalid Call to Object.equals()
Abstract
The program calls
Object.equals() on an array instead of java.util.Arrays.equals().Explanation
Calling
Example 1: The following tries to check two arrays using the
This will almost always result in code that is never executed, unless at some point there is an assignment of one array to the other.
Object.equals() against an array is a mistake in most cases, since this will check the equality of the arrays' addresses, instead of the equality of the arrays' elements, and should usually be replaced by java.util.Arrays.equals().Example 1: The following tries to check two arrays using the
Object.equals() function.
...
int[] arr1 = new int[10];
int[] arr2 = new int[10];
...
if (arr1.equals(arr2)){
//treat arrays as if identical elements
}
...
This will almost always result in code that is never executed, unless at some point there is an assignment of one array to the other.
References
[1] EXP02-J. Do not use the Object.equals() method to compare two arrays CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[4] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_call_to_object_equals