FindBugs raises a bug called EI_EXPOSE_REP caused by Array

Asked 15/11, 2017 at 3:25 Answered 22/10, 2020 at 11:4

FindBugs raises a bug called EI_EXPOSE_REP with the following description :

EI: May expose internal representation by returning reference to mutable object

Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is a better approach in many situations.

class Person {
    private String[] hobbies;
    String[] getHobbies(){ return hobbies;}
    void setHobbies(String[] hobbies){ this.hobbies = hobbies;}
}

I know some solutions：

getHobbies(){return hobbies.clone();}
use List instead of Array;

What I want to know is why just array raises this bug, a list doesn't have this problem? Why array is so different from other collections？

Frontal answered 15/11, 2017 at 3:25 Comment(1)

I'm not sure why you don't get the same warning for a list since a list is mutable as well. – Rajiv 15/11, 2017 at 3:45

Findbugs (which is now replaced by Spotbugs) raises a security issue. It is not a bug since it doesn't create an unwanted behavior by itself. But this exposure of the internal data CAN create bugs later in caller methods.

You guessed it, there are two ways to protect your getter against exposure:

Return a copy of your array with Arrays.copyOf(..)
Convert it to an "Immutable" List with Collections.unmodifiableList(..) (you can also use List.of(..) since Java 9)

A List will raise a similar warning unless made unmodifiable. It's a good practice to use Collections instead of Arrays unless you really have a good reason not to.

In some cases, when you have few writes and many reads, the Class CopyOnWriteArrayList is a great alternative to have a simple immutable list getter.

What I want to know is why just array raises this bug.
It's just a warning. Findbugs displays a severity level next to the report.
Exposure is a medium one for security, but low for bugs.

A list doesn't have this problem?
It does. An ArrayList is just an Array with an additional layer of abstraction.

Why array is so different from other collections?
An Array is a native type, while Collections are not.
The behavior is similar, but you have less control over an Array than you have over a Collection.

Printery answered 15/11, 2017 at 4:58 Comment(3)

It's true when I change 'private String[] hobbies' to 'private List<String> hobbies', find bugs don't raise a bug and I test it. I just don't know why. – Frontal 15/11, 2017 at 6:0

Try to increase Findbugs sensitivity in the options. Maybe you are not at the maximum level of warning. – Printery 15/11, 2017 at 6:4

Thank you，you have been very helpful. And I know a new analysis tool to find bugs ---Spotbugs. lol – Frontal 15/11, 2017 at 6:35

I got this issue for byte[] variable in my POJO class. If you want, you can suppress it using an annotation: @SuppressFBWarnings(value = {"EI_EXPOSE_REP", "EI_EXPOSE_REP2"})

Hebraism answered 22/10, 2020 at 11:4 Comment(0)

Recommended topics

Hot tags