Returning Mutable Object to an Untrusted Method

From Guidance Share

Jump to: navigation, search



Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the called function, thereby putting the class in an undefined state.

Applies To

  • Languages: C,C++ or Java
  • Operating platforms: Any


The following example shows an example of a method returning a mutable object to its caller:

externalClass foo;
void doStuff() {
//..//Modify foo
return foo;

In this example foo is returned (a mutable object) without having been cloned. It is possible for the caller to make unpredictable modifications to this class.


  • Access Control / Integrity: Potentially data could be tampered with by another function which should not have been tampered with.


  • Failure to clone mutable data before returning to an untrusted method.
  • Failure to perform integrity checks on mutable data that has been returned to an untrusted method.


  • Implementation: Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.

Vulnerability Patterns

How Tos

Personal tools