JAVA.ASSERT.ARG

Never use assertions to validate method arguments

Vulnerability and risk

Validation of arguments can be critical the functionality of a method. Assertions can potentially be disabled removing validation of the arguments or lead to unhandled exceptions.

Mitigation and prevention

Use non-assertion validation to validate arguments. Remove assert check for parameter and replace with if/function check.

Vulnerable code example 1

Copy

1
2
3
4
5
6
7
package com.klocwork;

public class JAVA_ASSERT_ARG_POSITIVE_1 {
    public void test(int i, String args) {
        assert args != null;
    }
}

Vulnerable code example 2

Copy

1
2
3
4
5
6
7
package com.klocwork;

public class JAVA_ASSERT_ARG_POSITIVE_2 {
    public void test(String[] args, int i) {
        assert args != null;
    }
}

Vulnerable code example 3

Copy

1
2
3
4
5
6
7
package com.klocwork;

public class JAVA_ASSERT_ARG_POSITIVE_3 {
    public void test(boolean b, String args[], int i) {
        assert args != null;
    }
}

Vulnerable code example 4

Copy

1
2
3
4
5
6
7
8
9
package com.klocwork;

import java.util.List;

public class JAVA_ASSERT_ARG_POSITIVE_4 {
    public void test(List<String> args) {
        assert args != null;
    }
}

Fixed code example

Copy

1
2
3
4
5
6
7
8
9
10
11
package com.klocwork;

public class JAVA_ASSERT_ARG_NEGATIVE {
    public static void test(String args[]) {
        int x = 123;

        assert x > 1;

        System.out.println("hello world");
    }
}

External guidance

MET01-J: Never use assertions to validate method arguments