CWE-375

Returning a Mutable Object to an Untrusted Caller

AI Translation Available

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

Status

draft

Abstraction

base

Likelihood

medium

Affected Platforms

C C# C++ Java Object-Oriented

Extended Description

AI Translation

In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously cloned, the class will then be using modified data which may violate assumptions about its internal state.

Technical Details

AI Translation

Common Consequences

access control integrity

Impacts

modify memory

Potential Mitigations

Phases:

implementation

Descriptions:

• Declare returned data which should not be altered as constant or immutable.

• Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.

AI Generated Translation

Common Consequences

controllo degli accessi integrità

Impacts

modificare memoria

Potential Mitigations

Phases:

implementazione

Descriptions:

• Dichiara i dati restituiti che non devono essere modificati come costanti o immutabili.

• Clona tutti i dati mutabili prima di restituire riferimenti ad essi. Questa è la mitigazione preferita. In questo modo, indipendentemente dalle modifiche apportate ai dati, viene mantenuta una copia valida da utilizzare dalla classe.

CWE-375

Common Consequences

Impacts

Potential Mitigations

Common Consequences

Impacts

Potential Mitigations

Iscriviti alla newsletter