Returning Mutable Object to an Untrusted Method

From Guidance Share

Jump to: navigation, search

Contents

Description

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the called function, thereby putting the class in an undefined state.

Applies To

  • Languages: C,C++ or Java
  • Operating platforms: Any

Example

The following example shows an example of a method returning a mutable object to its caller:

private:
externalClass foo;
public:
void doStuff() {
//..//Modify foo
return foo;
}

In this example foo is returned (a mutable object) without having been cloned. It is possible for the caller to make unpredictable modifications to this class.

Impact

  • Access Control / Integrity: Potentially data could be tampered with by another function which should not have been tampered with.

Vulnerabilities

  • Failure to clone mutable data before returning to an untrusted method.
  • Failure to perform integrity checks on mutable data that has been returned to an untrusted method.

Countermeasures

  • Implementation: Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.

Vulnerability Patterns

How Tos

Personal tools