jdrueckert
commented
10 months ago Associated Secure Code Guidelines: https://www.ing.iac.es//~docs/external/java/pmd/rules/sunsecure.html
While I agree that the code was likely written the way it was because the main focus was on performance, personally coming from a security point of view, I'm hesitant to just accept this as "likely not a problem in game development" without a proper criticality assessment of this security flaw - in particular as the respective PMD findings occurred in type handler code which is exposed enough to be of concern, especially in a multiplayer setup.
parameter passing by reference
on a number of locations in the code static code analysis tools like pmd warn that data structures passed are stored and returned directly. while java has no pointers, this behaviour is similar, passing by reference. so an outside actor can change the contents of the structure. such a parameter passing may be a security leak especially in public APIs. see for example here for an explanation
for games, this is more a performance feature than a security leak.
keywords: MethodReturnsInternalArray, ArrayIsStoredDirectly,
Proposal
@jdrueckert wishes a more thorough discussion about the issue, and suggested to suppress the warning at the moment and link to this ticket, in a TODO.