An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Equals()
is called on an object that does not implement Equals()
.Equals()
on a class (or any super class/interface) that does not explicitly implement Equals()
results in a call to the Equals()
method inherited from System.Object
. Instead of comparing object member fields or other properties, Object.Equals()
compares two object instances to see if they are the same. Although there are legitimate uses of Object.Equals()
, it is often an indication of buggy code.
public class AccountGroup
{
private int gid;
public int Gid
{
get { return gid; }
set { gid = value; }
}
}
...
public class CompareGroup
{
public bool compareGroups(AccountGroup group1, AccountGroup group2)
{
return group1.Equals(group2); //Equals() is not implemented in AccountGroup
}
}
equals()
method is called on an object that does not implement equals()
.equals()
on a class (or any super class/interface) that does not explicitly implement equals()
results in a call to the equals()
method inherited from java.lang.Object
. Instead of comparing object member fields or other properties, Object.equals()
compares two object instances to see if they are the same. Although there are legitimate uses of Object.equals()
, it is often an indication of buggy code.
public class AccountGroup
{
private int gid;
public int getGid()
{
return gid;
}
public void setGid(int newGid)
{
gid = newGid;
}
}
...
public class CompareGroup
{
public boolean compareGroups(AccountGroup group1, AccountGroup group2)
{
return group1.equals(group2); //equals() is not implemented in AccountGroup
}
}
finalize()
method should call super.finalize()
.finalize()
method to call super.finalize()
[1].super.finalize()
.
protected void finalize() {
discardNative();
}
private void writeObject(java.io.ObjectOutputStream out) throws IOException;
private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException;
private void readObjectNoData() throws ObjectStreamException;
getWriter()
after calling getOutputStream
or vice versa.HttpServletRequest
, redirecting an HttpServletResponse
, or flushing the servlet's output stream buffer causes the associated stream to commit. Any subsequent buffer resets or stream commits, such as additional flushes or redirects, will result in IllegalStateException
s.ServletOutputStream
or PrintWriter
, but not both. Calling getWriter()
after having called getOutputStream()
, or vice versa, will also cause an IllegalStateException
.IllegalStateException
prevents the response handler from running to completion, effectively dropping the response. This can cause server instability, which is a sign of an improperly implemented servlet.Example 2: Conversely, the following code attempts to write to and flush the
public class RedirectServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
OutputStream out = res.getOutputStream();
...
// flushes, and thereby commits, the output stream
out.flush();
out.close(); // redirecting the response causes an IllegalStateException
res.sendRedirect("http://www.acme.com");
}
}
PrintWriter
's buffer after the request has been forwarded.
public class FlushServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
...
// forwards the request, implicitly committing the stream
getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
...
// IllegalStateException; cannot redirect after forwarding
res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");
PrintWriter out = res.getWriter();
// writing to an already-committed stream will not cause an exception,
// but will not apply these changes to the final output, either
out.print("Writing here does nothing");
// IllegalStateException; cannot flush a response's buffer after forwarding the request
out.flush();
out.close();
}
}
Content-Length
header is set as negative.Content-Length
header of a request indicates a developer is interested in0
or aContent-Length
.
URL url = new URL("http://www.example.com");
HttpURLConnection huc = (HttpURLConnection)url.openConnection();
huc.setRequestProperty("Content-Length", "-1000");
Content-Length
header is set as negative.Content-Length
header of a request indicates a developer is interested in0
or aContent-Length
header as negative:
xhr.setRequestHeader("Content-Length", "-1000");
ToString()
is called on an array.ToString()
on an array indicates a developer is interested in returning the contents of the array as a String. However, a direct call to ToString()
on an array will return a string value containing the array's type.System.String[]
.
String[] stringArray = { "element 1", "element 2", "element 3", "element 4" };
System.Diagnostics.Debug.WriteLine(stringArray.ToString());
toString()
is called on an array.toString()
on an array indicates a developer is interested in returning the contents of the array as a String. However, a direct call to toString()
on an array will return a string value containing the array's type and hashcode in memory.[Ljava.lang.String;@1232121
.
String[] strList = new String[5];
...
System.out.println(strList);