Eduardo Aguinaga created KARAF-4213:
---------------------------------------
Summary: Public cloneable() Method Without Final ('Object Hijack')
Key: KARAF-4213
URL: https://issues.apache.org/jira/browse/KARAF-4213
Project: Karaf
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Eduardo Aguinaga
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
A class has a cloneable() method that is not declared final, which allows an
object to be created without calling the constructor. This can cause the object
to be in an unexpected state.
File:
util\src\main\java\org\apache\karaf\util\collections\CopyOnWriteArrayIdentityList.java
Line: 247
CopyOnWriteArrayIdentityList.java, lines 246-255:
246 @Override
247 public Object clone() {
248 try {
249 CopyOnWriteArrayIdentityList thisClone =
(CopyOnWriteArrayIdentityList) super.clone();
250 thisClone.setData(this.getData());
251 return thisClone;
252 } catch (CloneNotSupportedException e) {
253 throw new RuntimeException("CloneNotSupportedException is not
expected here");
254 }
255 }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
