conn is accessed without synchronization
38 try {
39 conn =
40 conn = DriverManager.getConnection(DB_URL, "user", "");
41 Statement s = conn.createStatement(); 42 s.execute("SELECT userName, isWin FROM users WHERE uid = " + req.getParameter("ticket") + ";");
43 ResultSet r = s.getResultSet();
44
conn is accessed without synchronization
37
38 try {
39 conn =
40 conn = DriverManager.getConnection(DB_URL, "user", ""); 41 Statement s = conn.createStatement();
42 s.execute("SELECT userName, isWin FROM users WHERE uid = " + req.getParameter("ticket") + ";");
43 ResultSet r = s.getResultSet();
conn is accessed without synchronization
36 Boolean b = Boolean.parseBoolean(req.getParameter("winCondition"));
37
38 try {
39 conn = 40 conn = DriverManager.getConnection(DB_URL, "user", "");
41 Statement s = conn.createStatement();
42 s.execute("SELECT userName, isWin FROM users WHERE uid = " + req.getParameter("ticket") + ";");
Description
A web server generally only creates one instance of servlet or JSP class (i.e., treats the class as a Singleton), and will have multiple threads invoke methods on that instance to service multiple simultaneous requests.
Bad Practice
class MyServlet extends HttpServlet {
private HashMap<String, User> users; // This field may be left open to concurrent modification.
// ...
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setStatus(200);
resp.setHeader("Content-Type", "application/json");
String name = req.getParameter("name");
users.put(name, ...); // This access is not synchronized and could result in concurrent modification of users.
}
}
Accessing such variables without synchronizing on them could allow ConcurrentModificationException
s. This could also result in race conditions occurring between threads that modify the concerned field.
Recommended
Consider using some form of synchronization to ensure that such variables can be accessed safely in a concurrent context.
private synchronized doOperationOnUsers(String name) {
// users is only modified within this method.
users.put(name, ...);
}
References
- SpotBugs - MSF_MUTABLE_SERVLET_FIELD
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')