The buffer classes (such as IntBuffer, CharBuffer and ByteBuffer) defined in the java.nio package define wrap() methods, varying in parameters. The wrap() methods create a new Buffer object, however, the elements continue to persist in the backing array from which the buffer was created. If the buffer is altered by untrusted code, the backing array is maliciously modified. Likewise, the duplicate() method allows the creation of copies of the buffer but a caller may indirectly alter the contents of the backing buffer.
Noncompliant Code Example
This noncompliant code example declares a char array and allows untrusted code to obtain a copy using the getBufferCopy() method. The return value of this method is required to be of type CharBuffer.
| Code Block | ||
|---|---|---|
| ||
final class Wrap {
private char[] dataArray;
public Wrap () {
dataArray = new char[10];
// Initialize
}
public CharBuffer getBufferCopy() {
return CharBuffer.wrap(dataArray);
}
}
|
Compliant Solution
This compliant solution returns a read-only view of the char array, in the form of a CharBuffer. Attempts to modify the elements of the CharBuffer result in a java.nio.ReadOnlyBufferException.
| Code Block | ||
|---|---|---|
| ||
final class Wrap {
private char[] dataArray;
Wrap () {
dataArray = new char[10];
// Initialize
}
public CharBuffer getBufferCopy() {
CharBuffer cb = CharBuffer.allocate(10);
return cb.asReadOnlyBuffer();
}
}
|
Compliant Solution
This compliant solution allocates a new CharBuffer and explicitly inserts the contents of the char array into it, before returning it.
| Code Block | ||
|---|---|---|
| ||
final class Wrap {
private char[] dataArray;
Wrap () {
dataArray = new char[10];
// Initialize
}
public CharBuffer getBufferCopy() {
CharBuffer cb = CharBuffer.allocate(10);
cb.put(dataArray);
return cb;
}
}
|
Noncompliant Code Example
This noncompliant code example uses the duplicate() method to create and return a copy of the CharBuffer. The returned buffer allows the caller to indirectly modify the elements of the original buffer.
...
If the CharBuffer created by the duplicate() method is based on a CharBuffer obtained by using the wrap() method, then the contents of the backing char array can be modified maliciously by modifying the particular CharBuffer.
Noncompliant Code Example
Creating a new CharBuffer, allocating it using allocate() and duplicating and storing another CharBuffer into it, does not prevent the contents of the duplicated buffer from being modified.
| Code Block | ||
|---|---|---|
| ||
final class Dup {
CharBuffer cb;
public Dup() {
cb = CharBuffer.allocate(10);
// Initialize
}
public CharBuffer getBufferCopy() {
CharBuffer copy = CharBuffer.allocate(10);
copy = cb.duplicate();
return copy;
}
}
|
Compliant Solution
This compliant solution exposes a read-only view of the CharBuffer to untrusted code.
| Code Block | ||
|---|---|---|
| ||
final class Dup {
CharBuffer cb;
public Dup() {
cb = CharBuffer.allocate(10);
// Initialize
}
public CharBuffer getBufferCopy() {
return cb.asReadOnlyBuffer();
}
}
|
Risk Assessment
Returning buffers created using the wrap() or duplicate() methods may allow an untrusted caller to alter the contents of the original data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO37- J | medium | likely | low | P18 | L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] class {{CharBuffer}}
\[[Hitchens 02|AA. Java References#Hitchens 02]\] 2.3 Duplicating Buffers |
...