Details
-
Bug
-
Status: Patch Available
-
Minor
-
Resolution: Unresolved
-
1.3.0, 1.4.0
-
None
-
None
Description
An HP Fortify scan of nifi-api/src/main/java/org/apache/nifi/controller/status/ProcessGroupStatus.java reports the following issues with the use of the clone method.
1) The clone() method calls a function that can be overridden by an attacker. This may cause the clone to be left in a partially initialized state, or become corrupted.
Functions that clone objects and make calls to functions that can be overridden should specify these functions as final or specify the class as final. Alternatively, if this code is only needed in the clone() function, the private access specifier can be used, or the logic could be placed directly into the clone itself.
2) When implementing clone(), one should call super.clone() to obtain a new object. If a class fails to follow this convention, a subclass's clone() method will return an object of the wrong type. By calling super.clone(), the java.lang.Object implementation of clone() will always return an object of the correct type.