Private Array-Typed Field Returned From A Public Method
Weakness ID: 495 (Weakness Variant)Status: Draft
+ Description

Description Summary

The product has a method that is declared public, but returns a reference to a private array, which could then be modified in unexpected ways.
+ Time of Introduction
  • Implementation
+ Applicable Platforms






+ Demonstrative Examples

Example 1

Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array.

(Bad Code)
Example Language: Java 
private String[] colors;
public String[] getColors() {
return colors;
+ Potential Mitigations

Declare the method private.

Clone the member data and keep an unmodified version of the data private to the object.

Use public setter methods that govern how a member can be modified.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class485Insufficient Encapsulation
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsPrivate Array-Typed Field Returned From A Public Method
+ White Box Definitions

A weakness where code path has a statement that belongs to a public method and returns a reference to a private array field

+ Content History
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-08-01KDM AnalyticsExternal
added/updated white box definitions
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Relationships, Taxonomy Mappings