Page History

The buffer classes (Buffer classes defined in the java.nio package, such as IntBuffer, CharBuffer, and ByteBuffer) defined in the java.nio package define wrap() methods, varying in parameters. The wrap() , define a variety of methods that wrap an array (or a portion of the array) of the corresponding primitive data type into a buffer and return the buffer as a Buffer object. Although these methods create a new Buffer object, however, the elements continue to persist in the backing array from which the buffer was created. If the buffer is altered by untrusted code, the backing array is maliciously modifiedthe new Buffer is backed by the given input array. According to the Java API for these methods [API 2014],

The new buffer will be backed by the given character array; that is, modifications to the buffer will cause the array to be modified and vice versa.

Exposing these buffers to untrusted code exposes the backing array of the original buffer to malicious modification. Likewise, the duplicate() method allows the creation of copies of the buffer but a caller may indirectly alter the contents of the backing buffer(), array(), slice(), and subsequence() methods create additional buffers that are backed by the original buffer's backing array; exposing such additional buffers to untrusted code affords the same opportunity for malicious modification.

This rule is an instance of OBJ06-J. Defensively copy mutable inputs and mutable internal components.

Noncompliant Code Example (wrap())

This noncompliant code example declares a char array and allows untrusted code to obtain a copy using , wraps it within a CharBuffer, and exposes that CharBuffer to untrusted code via the getBufferCopy() method. The return value of this method is required to be of type CharBuffer.:

final class Wrap {
  private char[] dataArray;
  
  public Wrap () {
    dataArray = new char[10];
    // Initialize
  }
	
  public CharBuffer getBufferCopy() {
    return CharBuffer.wrap(dataArray);	
  }
}

Compliant Solution (asReadOnlyBuffer())

This compliant solution returns a read-only view of the char array , in the form of a read-only CharBuffer. Attempts The standard library implementation of CharBuffer guarantees that attempts to modify the elements of the a read-only CharBuffer will result in a java.nio.ReadOnlyBufferException.

final class Wrap {
  private char[] dataArray;

  public Wrap () {
    dataArray = new char[10];
    // Initialize
  }
	
  public CharBuffer getBufferCopy() {
    CharBufferreturn cb = CharBuffer.allocatewrap(10);
    return cbdataArray).asReadOnlyBuffer();
  }
}

Compliant Solution (Copy)

This compliant solution allocates a new CharBuffer and explicitly inserts copies the contents of the char array into it , before returning itthe copy. Consequently, malicious callers can modify the copy of the array but cannot modify the original.

final class Wrap {
  private char[] dataArray;

  
public  Wrap () {
    dataArray = new char[10];
    // Initialize
  }
	
  public CharBuffer getBufferCopy() {
    CharBuffer cb = CharBuffer.allocate(10dataArray.length);
    cb.put(dataArray);
    return cb;
  }
}

Noncompliant Code Example (duplicate())

This noncompliant code example uses invokes the duplicate() method to create and return a copy of the CharBuffer. The returned buffer allows the caller to indirectly modify the elements of the original buffer.

final class Dup {
  CharBuffer cb;
 
  public Dup() {
    cb = CharBuffer.allocate(10);
    // Initialize
  }

  public CharBuffer getBufferCopy() {	
    return cb.duplicate();
  }
}

If the CharBuffer created by the duplicate() method is based on a CharBuffer obtained by using the wrap() method, then the contents of the backing char array can be modified maliciously by modifying the particular CharBuffer.

Noncompliant Code Example

Creating a new CharBuffer, allocating it using allocate() and duplicating and storing another CharBuffer into it, does not prevent the contents of the duplicated buffer from being modifiedAs stated in the contract for the duplicate() method, the returned buffer is backed by the same array as is the original buffer. Consequently, if a caller were to modify the elements of the backing array, these modifications would also affect the original buffer.

final class Dup {
  CharBuffer cb;
 
  public Dup() {
    cb = CharBuffer.allocate(10);
    // Initialize
  }

  public CharBuffer getBufferCopy() {	
    CharBuffer copy = CharBuffer.allocate(10);
    copy =return cb.duplicate();
    return copy;
  }
}

Compliant Solution (asReadOnlyBuffer())

This compliant solution exposes a read-only view of the CharBuffer to untrusted code.:

final class Dup {
  CharBuffer cb;
 
  public Dup() {
    cb = CharBuffer.allocate(10);
    // Initialize
  }

  public CharBuffer getBufferCopy() {	
    return cb.asReadOnlyBuffer();
  }
}

Risk Assessment

Returning Exposing buffers created using the wrap() or duplicate, duplicate(), array(), slice(), or subsequence() methods  methods may allow an untrusted caller to alter the contents of the original data.

Automated Detection

...

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Sound automated detection of this vulnerability is not feasible. Heuristic approaches may be useful.

Tool	Version	Checker	Description
Parasoft Jtest	Include Page Parasoft_V Parasoft_V	CERT.FIO05.BUFEXP	Do not expose data wrapped by a buffer to untrusted code
SpotBugs	Include Page SpotBugs_V SpotBugs_V	MS_EXPOSE_BUF EI_EXPOSE_BUF2 EI_EXPOSE_BUF EI_EXPOSE_STATIC_BUF2	Implemented (since 4.3.0)

Bibliography

...

Image Added Image Added Image Added

\[[API 06|AA. Java References#API 06]\] class {{CharBuffer}}
\[[Hitchens 02|AA. Java References#Hitchens 02]\] 2.3 Duplicating Buffers

FIO36-J. Do not create multiple buffered wrappers on an InputStream      09. Input Output (FIO)      10. Input Validation and Data Sanitization (IDS)