Defensive copying help - Array is stored directly - Impact Analysis

Question

I have fixed one Sonar security alert - Array is stored directly by

Initially

void setDerivedKey(byte[] derivedKey)
{
this.derivedKey = derivedKey;
}

To

void setDerivedKey (byte[] newDerivedKey)
{
if(newDerivedKey==null)
 {  this.derivedKey = new byte[0];          }
else
 {   this.derivedKey = Arrays.copyOf(newDerivedKey, newDerivedKey.length); }
}

How do I fix this

    public pEngine(byte[] salt) {
    byte[] mySalt = Arrays.copyOf(salt, salt.length);  //Edited as per below    answer
    this.parameters = new pParameters("SomeValue", "SomeValue2", salt, 100); }

What is the Impact of the fix on

 Performance
 Memory management
 Functionality

possible duplicate of [Sonar Violation: Security - Array is stored directly](http://stackoverflow.com/questions/11580948/sonar-violation-security-array-is-stored-directly) — astrohome, Sep 03 '15 at 12:02
Please conform to Java coding conventions: Type names (class,interface,enum) should start with a capital letter (e.g. `BigPicture`). Method, variable and field names should start with a lowercase letter (e.g. `bigPicture`), and constants should be all-caps (e.g. `BIG_PICTURE`). — RealSkeptic, Sep 03 '15 at 12:06

score 1 · Answer 1 · answered Sep 03 '15 at 11:56

1

I'm not sure I understand. Why not:

public pEngine(byte[] salt) {
    byte[] mySalt = Arrays.copyOf(salt, salt.length);
    this.parameters = new pParameters("SomeValue", "SomeValue2", mySalt, 100);
}

answered Sep 03 '15 at 11:56

Thom

14,013
25
105
185

@RealSkeptic Obviously it would blow up with a NullPointerException. :) – Thom Sep 03 '15 at 12:15

Defensive copying help - Array is stored directly - Impact Analysis

1 Answers1