Use of Wrong Operator in String Comparison
The product uses the wrong operator when comparing a string, such as using "==" when the equals() method should be used instead.
In Java, using == or != to compare two strings for equality actually compares two objects for equality, not their values. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, it could be leveraged to affect program security.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
In the example below, two Java String objects are declared and initialized with the same string values and an if statement is used to determine if the strings are equivalent.
However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:
Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
Weaknesses in this category are related to the creation and modification of strings.
This view (slice) covers all the elements in CWE.
This view (slice) lists weaknesses that can be introduced during implementation.