Private Data Structure Returned From A Public Method

Draft Variant

Structure: Simple

Description

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

Common Consequences 1

Scope: Integrity

Impact: Modify Application Data

The contents of the data structure can be modified from outside the intended scope.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 3

Phase: Implementation

Declare the method private.

Phase: Implementation

Clone the member data and keep an unmodified version of the data private to the object.

Phase: Implementation

Use public setter methods that govern how a private member can be modified.

Demonstrative Examples 2

Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array.

Code Example:Bad
Java
java

In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class.

Code Example:

Bad

C++

c++

// return reference to private array* int & fv () { return colorValue; } // return reference to private integer };

c++

c++

References 1

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Applicable Platforms

Languages:

C : UndeterminedC++ : UndeterminedJava : UndeterminedC# : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Control of a Resource Through its Lifetime (CWE-664)

Taxonomy Mapping

7 Pernicious Kingdoms
Software Fault Patterns