CWE - CWE-374: Passing Mutable Objects to an Untrusted Method (2.1)

Home > CWE List > CWE- Individual Dictionary Definition (2.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS
CWRAF
T-Shirt

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Coverage Claims Representation
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-374: Passing Mutable Objects to an Untrusted Method

Passing Mutable Objects to an Untrusted Method

Weakness ID: 374 (Weakness Base)

Status: Draft

Description

Description Summary

Sending non-cloned mutable data as an argument may result in that data being altered or deleted by the called function, thereby putting the calling function into an undefined state.

Time of Introduction

Implementation

Applicable Platforms

Languages

C++

Java

.NET

Common Consequences

Scope	Effect
Integrity	Technical Impact: Modify memory Potentially data could be tampered with by another function which should not have been tampered with.

Likelihood of Exploit

Medium

Demonstrative Examples

Example 1

(Bad Code)

Example Languages: C and C++

private:

int foo;

complexType bar;

String baz;

otherClass externalClass;

public:

void doStuff() {

externalClass.doOtherStuff(foo, bar, baz)

}

In this example, bar and baz will be passed by reference to doOtherStuff() which may change them.

Example 2

In the following Java example, the BookStore class manages the sale of books in a bookstore, this class includes the member objects for the bookstore inventory and sales database manager classes. The BookStore class includes a method for updating the sales database and inventory when a book is sold. This method retrieves a Book object from the bookstore inventory object using the supplied ISBN number for the book class, then calls a method for the sales object to update the sales information and then calls a method for the inventory object to update inventory for the BookStore.

(Bad Code)

Example Language: Java

public class BookStore {

private BookStoreInventory inventory;

private SalesDBManager sales;

...

// constructor for BookStore

public BookStore() {

this.inventory = new BookStoreInventory();

this.sales = new SalesDBManager();

...

}

public void updateSalesAndInventoryForBookSold(String bookISBN) {

// Get book object from inventory using ISBN

Book book = inventory.getBookWithISBN(bookISBN);

// update sales information for book sold

sales.updateSalesInformation(book);

// update inventory

inventory.updateInventory(book);

}

// other BookStore methods

...

}

public class Book {

private String title;

private String author;

private String isbn;

// Book object constructors and get/set methods

...

}

However, in this example the Book object that is retrieved and passed to the method of the sales object could have its contents modified by the method. This could cause unexpected results when the book object is sent to the method for the inventory object to update the inventory.

In the Java programming language arguments to methods are passed by value, however in the case of objects a reference to the object is passed by value to the method. When an object reference is passed as a method argument a copy of the object reference is made within the method and therefore both references point to the same object. This allows the contents of the object to be modified by the method that holds the copy of the object reference. (See Reference)

In this case the contents of the Book object could be modified by the method of the sales object prior to the call to update the inventory.

To prevent the contents of the Book object from being modified, a copy of the Book object should be made before the method call to the sales object. In the following example a copy of the Book object is made using the clone() method and the copy of the Book object is passed to the method of the sales object. This will prevent any changes being made to the original Book object.

(Good Code)

Example Language: Java

...

public void updateSalesAndInventoryForBookSold(String bookISBN) {

// Get book object from inventory using ISBN

Book book = inventory.getBookWithISBN(bookISBN);

// Create copy of book object to make sure contents are not changed

Book bookSold = (Book) book.clone();

// update sales information for book sold

sales.updateSalesInformation(bookSold);

// update inventory

inventory.updateInventory(book);

}

...

Example 2 References:

Tony Sintes. "Does Java pass by reference or pass by value?". JavaWorld.com. 2000-05-26. <http://www.javaworld.com/javaworld/javaqa/2000-05/03-qa-0526-pass.html>.

Herbert Schildt. "Java: The Complete Reference, J2SE 5th Edition".

Potential Mitigations

Phase: Implementation

Pass in data which should not be altered as constant or immutable.

Phase: Implementation

Clone all mutable data before returning references to it. This is the preferred mitigation. This way -- regardless of what changes are made to the data -- a valid copy is retained for use by the class.

Other Notes

In situations where unknown code is called with references to mutable data, this external code may possibly make changes to the data sent. If this data was not previously cloned, you will be left with modified data which may, or may not, be valid in the context of execution.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	371	State Issues	Development Concepts (primary)699
ChildOf	Weakness Class	668	Exposure of Resource to Wrong Sphere	Research Concepts (primary)1000
ChildOf	Category	849	CERT Java Secure Coding Section 04 - Object Orientation (OBJ)	Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Passing mutable objects to an untrusted method
CERT Java Secure Coding	OBJ08-J		Provide mutable classes with copy functionality to allow passing instances to untrusted code safely

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Name, Taxonomy_Mappings
2010-12-13	CWE Content Team	MITRE	Internal
2010-12-13	updated Demonstrative_Examples
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences, Relationships, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2010-06-21	Mutable Objects Passed by Reference

Page Last Updated: September 12, 2011


	CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us