Security - Method returns internal array - Sonar security warning - even when I am returning a clone

Question

The below return statement gives me a Sonar security warning even when I am not returning the original array but a clone of it.

What is the "correct" way to do this?

public String[] getList() {
        return list!=null? list.clone():null;
}

Please edit in the text of the warning that's given. – ircmaxell Apr 27 '15 at 13:58 — ircmaxell, Apr 27 '15 at 13:58

score 0 · Answer 1 · edited May 25 '21 at 14:30

Edited my previous answer for some obvious errors :)

List.clone() doesn't work because it returns a shallow copy of the list. So basically it just returns the reference to the original list. We don't want that here. What we want is a brand new array that doesn't have the same reference to be returned. For that the best idea will always be to create a new array and run a for loop like this:

String[] newArr = new String[list.length];
int i = 0;
for (String s : list) {
    newArr[i++] = s
}

If you wanna know why this is the issue, refer to this answer :)

Security - Method returns internal array - Sonar security warning - even when I am returning a clone

1 Answers1