Private Data Structure Returned From A Public Method

Draft Variant

Structure: Simple

Description

This vulnerability occurs when a public method directly returns a reference to a private, internal data structure. Because the reference is live, external callers can bypass intended controls and modify the data unexpectedly, corrupting the application's state.

Extended Description

This flaw breaks a core principle of encapsulation in object-oriented design. The private data structure—like an array, collection, or object—is meant to be managed solely by the class's own methods. By handing out a direct reference, you allow external code to add, remove, or alter elements without validation, leading to data corruption, security bypasses, or crashes that are difficult to debug. The fix is to return either a copy of the data (defensive copying) or an immutable view, ensuring the internal state remains protected. Identifying every instance of this pattern across a large codebase can be tedious. While SAST tools can flag the risky return statements, Plexicus uses AI to analyze the context and automatically suggest the correct remediation—such as implementing `Collections.unmodifiableList()` in Java or a slice copy in Go—saving developers hours of manual refactoring and ensuring consistent fixes.

Common Consequences 1

Scope: Integrity

Impact: Modify Application Data

The contents of the data structure can be modified from outside the intended scope.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 3

Phase: Implementation

Declare the method private.

Phase: Implementation

Clone the member data and keep an unmodified version of the data private to the object.

Phase: Implementation

Use public setter methods that govern how a private member can be modified.

Demonstrative Examples 2

Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array.

Code Example:Bad
Java
java

In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class.

Code Example:

Bad

C++

c++

// return reference to private array* int & fv () { return colorValue; } // return reference to private integer };

c++

c++

References 1

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Applicable Platforms

Languages:

C : UndeterminedC++ : UndeterminedJava : UndeterminedC# : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Control of a Resource Through its Lifetime (CWE-664)

Taxonomy Mapping

7 Pernicious Kingdoms
Software Fault Patterns