The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

How is CWE-595 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-595?

Exploiting CWE-595 can lead to: Varies by Context.

CWE-595: Comparison of Object References Instead of Object Contents

Implementation

In Java, use the equals() method to compare objects instead of the == operator. If using ==, it is important for performance reasons that your objects are created by a static factory, not by a constructor.

CWE-595: Comparison of Object References Instead of Object Contents

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.

Vulnerable example

java

String str1 = new String("Hello");

Safe example

java

if (str1.equals(str2)) {

However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:

In the following Java example, two BankAccount objects are compared in the isSameAccount method using the == operator.

Vulnerable example

java

public boolean isSameAccount(BankAccount accountA, BankAccount accountB) {

Safe example

java

public boolean isSameAccount(BankAccount accountA, BankAccount accountB) {

CWE-595: Comparison of Object References Instead of Object Contents

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-595?

How do you prevent CWE-595?

How is CWE-595 detected?

What are the consequences of CWE-595?

References

Stay ahead of CWE-595

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-595?

How do you prevent CWE-595?

How is CWE-595 detected?

What are the consequences of CWE-595?

References

Stay ahead of CWE-595