logo

Passing Mutable Objects to an Untrusted Method

Draft Base
Structure: Simple
Description

This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy of that data.

Extended Description

When you pass a mutable object directly to a method—especially one from an external library or untrusted code—that method can alter or even delete the contents of your object. This breaks a fundamental assumption in your code: that the data you own remains under your control. The called function might change values, add unexpected elements, or clear the object entirely, leading to inconsistent states, crashes, or logic errors in your application. To prevent this, you should create and pass a defensive copy (a clone or deep copy) of the mutable data before sending it to any code you don't fully control. This ensures the original data remains intact and valid, regardless of what the external method does. Always treat mutable data passed across trust boundaries as potentially hostile and isolate it through copying.
Common Consequences 1
Scope: Integrity

Impact: Modify Memory

Potentially data could be tampered with by another function which should not have been tampered with.
Potential Mitigations 2
Phase: Implementation
Pass in data which should not be altered as constant or immutable.
Phase: Implementation
Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.
Demonstrative Examples 2
The following example demonstrates the weakness.

Code Example:

Bad
C
c
In this example, bar and baz will be passed by reference to doOtherStuff() which may change them.
In the following Java example, the BookStore class manages the sale of books in a bookstore, this class includes the member objects for the bookstore inventory and sales database manager classes. The BookStore class includes a method for updating the sales database and inventory when a book is sold. This method retrieves a Book object from the bookstore inventory object using the supplied ISBN number for the book class, then calls a method for the sales object to update the sales information and then calls a method for the inventory object to update inventory for the BookStore.

Code Example:

Bad
Java
java

// constructor for BookStore* public BookStore() { ``` this.inventory = new BookStoreInventory(); this.sales = new SalesDBManager(); ... } public void updateSalesAndInventoryForBookSold(String bookISBN) {

java

// Book object constructors and get/set methods* ...}

However, in this example the Book object that is retrieved and passed to the method of the sales object could have its contents modified by the method. This could cause unexpected results when the book object is sent to the method for the inventory object to update the inventory.
In the Java programming language arguments to methods are passed by value, however in the case of objects a reference to the object is passed by value to the method. When an object reference is passed as a method argument a copy of the object reference is made within the method and therefore both references point to the same object. This allows the contents of the object to be modified by the method that holds the copy of the object reference. [REF-374]
In this case the contents of the Book object could be modified by the method of the sales object prior to the call to update the inventory.
To prevent the contents of the Book object from being modified, a copy of the Book object should be made before the method call to the sales object. In the following example a copy of the Book object is made using the clone() method and the copy of the Book object is passed to the method of the sales object. This will prevent any changes being made to the original Book object.

Code Example:

Good
Java
java

// Get book object from inventory using ISBN* Book book = inventory.getBookWithISBN(bookISBN);

java
References 3
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Does Java pass by reference or pass by value?
Tony Sintes
JavaWorld.com
26-05-2000
https://web.archive.org/web/20000619025001/https://www.javaworld.com/javaworld/javaqa/2000-05/03-qa-0526-pass.html(2023-04-07)
ID: REF-374
Java: The Complete Reference, J2SE 5th Edition
Herbert Schildt
ID: REF-375
Likelihood of Exploit

Medium

Applicable Platforms
Languages:
C : UndeterminedC++ : UndeterminedJava : UndeterminedC# : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Exposure of Resource to Wrong Sphere (CWE-668)
Taxonomy Mapping
  • CLASP
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns