CodeQL documentation

Reference equality test on strings

ID: java/reference-equality-on-strings
Kind: problem
Severity: warning
Precision: medium
Tags:
   - reliability
   - external/cwe/cwe-597
Query suites:
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Comparing two String objects using == or != compares object identity, which may not be intended. The same sequence of characters can be represented by two distinct String objects.

Recommendation

To see if two String objects represent the same sequence of characters, you should usually compare the objects by using their equals methods.

Example

With the following definition, headerStyle is compared to the empty string using ==. This comparison can yield false even if headerStyle is the empty string, because it compares the identity of the two string objects rather than their contents. For example, if headerStyle was initialized by an XML parser or a JSON parser, then it might have been created with code like String.valueOf(buf,start,len). Such code will produce a new string object every time it is called.

void printHeader(String headerStyle) {
	if (headerStyle == null || headerStyle == "") {
		// No header
		return;
	}
	// ... print the header
}

With the following definition, headerStyle is tested using the equals method. This version will reliably detect whenever headerStyle is the empty string.

void printHeader(String headerStyle) {
	if (headerStyle == null || headerStyle.equals("")) {
		// No header
		return;
	}
	// ... print the header
}

References