...
In this noncompliant code example, class ReturnRef contains a private Hashtable instance field. The hash table stores immutable but sensitive data (for example, social security numbers [SSNs]). The getValues() method gives the caller access to the hash table by returning a reference to it. An untrusted caller can use this method to gain access to the hash table; as a result, hash table entries can be maliciously added, removed, or replaced. Furthermore, multiple threads can perform these modifications, providing ample opportunities for race conditions.
...
OBJ05-EX0: When a method is called with only an unmodifiable immutable view of an object, that method may freely use the unmodifiable immutable view without defensive copying. This decision should be made early in the design of the API. Note that new callers of such methods must also expose only unmodifiable immutable views.
Risk Assessment
Returning references to internal object state (mutable or immutable) can render an application susceptible to information leaks and corruption of its objects' states, which consequently violates class invariants. Control flow can also be affected in some cases.
...
CWE-375, Returning a Mutable Object to an Untrusted Caller |
Bibliography
Method clone() | |
Item 39, "Make Defensive Copies When Needed" | |
Section 3.2, "Publication and Escape: Allowing Internal Mutable State to Escape" | |
Section 9.4, "Private Object State and Object Immutability" | |
| [Pugh 2009] | |
|
...