karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KARAF-4213) Public cloneable() Method Without Final ('Object Hijack')
Date Tue, 15 Dec 2015 17:53:47 GMT
Eduardo Aguinaga created KARAF-4213:
---------------------------------------

             Summary: Public cloneable() Method Without Final ('Object Hijack')
                 Key: KARAF-4213
                 URL: https://issues.apache.org/jira/browse/KARAF-4213
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 4.0.3
            Reporter: Eduardo Aguinaga


HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.

A class has a cloneable() method that is not declared final, which allows an object to be
created without calling the constructor. This can cause the object to be in an unexpected
state.

File: util\src\main\java\org\apache\karaf\util\collections\CopyOnWriteArrayIdentityList.java
Line: 247

CopyOnWriteArrayIdentityList.java, lines 246-255:
246 @Override
247 public Object clone() {
248     try {
249         CopyOnWriteArrayIdentityList thisClone = (CopyOnWriteArrayIdentityList) super.clone();
250         thisClone.setData(this.getData());
251         return thisClone;
252     } catch (CloneNotSupportedException e) {
253         throw new RuntimeException("CloneNotSupportedException is not expected here");
254     }
255 }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message