Sometimes null is returned intentionally to account for zero available instances. This practice can lead to vulnerabilities when the client code does not handle the null return case.
The erroneous behavior is caused due to the server returning null while the client forgets to add in a check for such a values. This non-compliant example shows how the check item != null is missing from the condition in class Client.
class Inventory {
private static int[] item;
public Inventory() {
item = new int[20]
}
public static int[] getStock() {
if(item.length == 0)
return null;
else
return item;
}
}
public class Client {
public static void main(String[] args) {
Inventory iv = new Inventory();
int[] item = Inventory.getStock();
if (item[1] == 1 ) {
System.out.println("Almost out of stock!" + item);
}
}
}
|
class Inventory {
private static int[] item;
public Inventory() {
item = new int[20]
}
public static int[] getStock() {
if(item.length == 0)
//handle error
else
return item; //even if it is zero-length, return as is
}
}
public class Client {
public static void main(String[] args) {
Inventory iv = new Inventory();
int[] item = Inventory.getStock();
if (item[1] == 1 ) {
System.out.println("Almost out of stock!" + item);
}
}
}
|