CWE-495: Private Data Structure Returned From A Public Method
Description
The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Example - 1
Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array.
return colors;private String[] colors;public String[] getColors() {}Example - 2
In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class.
int[2] colorArray;int colorValue;
// // return reference to private array//
// // return reference to private integer// Color () : colorArray { 1, 2 }, colorValue (3) { };int[2] & fa () { return colorArray; } int & fv () { return colorValue; } private:public:
// // modifies private array element//
// // modifies private int//
Color c;c.fa () [1] = 42; c.fv () = 42; return 0;class Color{};int main (){}Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.