Passing Mutable Objects to an Untrusted Method

From Guidance Share

Jump to: navigation, search

Contents

Description

Sending non-cloned mutable data as an argument may result in that data being altered or deleted by the called function, thereby putting the calling function into an undefined state.

Applies To

  • Languages: C/C++ or Java
  • Operating platforms: Any

Example

In this example, bar and baz will be passed by reference to doOtherStuff() which may change them. Unexpected changes to these variables could cause problems in later code:

private:
int foo;
complexType bar;
String baz;
otherClass externalClass; 
public:
void doStuff() {
externalClass.doOtherStuff(foo, bar, baz)
}

Impact

  • Integrity: Data could be unexpectedly tampered with by another function.

Vulnerabilities

  • Failure to clone mutable data before passing to an untrusted method.
  • Failure to perform integrity checks on mutable data that has been passed to an untrusted method.

Countermeasures

  • Implementation: Clone all mutable data before passing it to another function. Regardless of what changes are made to the data a valid copy is retained for use by the class. Another option is to pass any data which should not be altered as constant or immutable.

Vulnerability Patterns

How Tos

Personal tools