The buffer classes (such as IntBuffer, CharBuffer and ByteBuffer) defined in the java.nio package define wrap() methods, varying in parameters. The wrap() methods create a new Buffer object, however, the elements continue to persist in the backing array from which the buffer was created. If the buffer is altered by untrusted code, the backing array is maliciously modified. Likewise, the duplicate() method allows the creation of copies of the buffer but a caller may indirectly alter the contents of the backing buffer.
Noncompliant Code Example
This noncompliant code example declares a char array and allows untrusted code to obtain a copy using the getBufferCopy() method. The return value of this method is required to be of type CharBuffer.
final class Wrap {
private char[] dataArray;
public Wrap () {
dataArray = new char[10];
// Initialize
}
public CharBuffer getBufferCopy() {
return CharBuffer.wrap(dataArray);
}
}
Compliant Solution
This compliant solution returns a read-only view of the char array, in the form of a CharBuffer. Attempts to modify the elements of the CharBuffer result in a java.nio.ReadOnlyBufferException.
final class Wrap {
private char[] dataArray;
public Wrap () {
dataArray = new char[10];
// Initialize
}
public CharBuffer getBufferCopy() {
CharBuffer cb = CharBuffer.allocate(10);
return cb.asReadOnlyBuffer();
}
}
Compliant Solution
This compliant solution allocates a new CharBuffer and explicitly inserts the contents of the char array into it, before returning it.
final class Wrap {
private char[] dataArray;
public Wrap () {
dataArray = new char[10];
// Initialize
}
public CharBuffer getBufferCopy() {
CharBuffer cb = CharBuffer.allocate(10);
cb.put(dataArray);
return cb;
}
}
Noncompliant Code Example
This noncompliant code example uses the duplicate() method to create and return a copy of the CharBuffer. The returned buffer allows the caller to indirectly modify the elements of the original buffer.
final class Dup {
CharBuffer cb;
public Dup() {
cb = CharBuffer.allocate(10);
// Initialize
}
public CharBuffer getBufferCopy() {
return cb.duplicate();
}
}
If the CharBuffer created by the duplicate() method is based on a CharBuffer obtained by using the wrap() method, then the contents of the backing char array can be modified maliciously by modifying the particular CharBuffer.
Noncompliant Code Example
Creating a new CharBuffer, allocating it using allocate() and duplicating and storing another CharBuffer into it, does not prevent the contents of the duplicated buffer from being modified.
final class Dup {
CharBuffer cb;
public Dup() {
cb = CharBuffer.allocate(10);
// Initialize
}
public CharBuffer getBufferCopy() {
CharBuffer copy = CharBuffer.allocate(10);
copy = cb.duplicate();
return copy;
}
}
Compliant Solution
This compliant solution exposes a read-only view of the CharBuffer to untrusted code.
final class Dup {
CharBuffer cb;
public Dup() {
cb = CharBuffer.allocate(10);
// Initialize
}
public CharBuffer getBufferCopy() {
return cb.asReadOnlyBuffer();
}
}
Risk Assessment
Returning buffers created using the wrap() or duplicate() methods may allow an untrusted caller to alter the contents of the original data.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO01-J |
medium |
likely |
low |
P18 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[API 2006]] class CharBuffer
[[Hitchens 2002]] 2.3 Duplicating Buffers
FIO00-J. Defensively copy mutable inputs and mutable internal components 09. Input Output (FIO) FIO02-J. Keep track of bytes read and account for character encoding while reading data