Passing mutable objects to an untrusted method

From OWASP

Jump to: navigation, search

Overview

Sending non-cloned mutable data as an argument may result in that data being altered or deleted by the called function, thereby putting the calling function into an undefined state.

Consequences

Integrity: Potentially data could be tampered with by another function which should not have been tampered with.

Exposure period

Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

Languages: C/C++ or Java

Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

Implementation: Pass in data which should not be alerted as constant or immutable.

Implementation: Clone all mutable data before returning references to it. This is the preferred mitigation. This way - regardless of what changes are made to the data - a valid copy is retained for use by the class.

Discussion

In situations where unknown code is called with references to mutable data, this external code may possibly make changes to the data sent. If this data was not previously cloned, you will be left with modified data which may, or may not, be valid in the context of execution.

Examples

In C\C++:

private:
  int foo.
  complexType bar;
  String baz;
  otherClass externalClass; 

public:
  void doStuff() {
    externalClass.doOtherStuff(foo, bar, baz)
  }

In this example, bar and baz will be passed by reference to doOtherStuff() which may change them.

Related problems

Not available.

Retrieved from "http://www.owasp.org/index.php/Passing_mutable_objects_to_an_untrusted_method"

Categories: OWASP Honeycomb Project | Vulnerability | General Logic Error Vulnerability | Implementation | OWASP CLASP Project

Views

Personal tools

Log in / create account

Reference

search

Toolbox