CWE Rule 496

Public Data Assigned to Private Array-Typed Field

Since R2023b

expand all in page

Description

Rule Description

Assigning public data to a private array is equivalent to giving public access to the array.

Polyspace Implementation

The rule checker checks for the issue Public data assigned to private pointer.

Examples

expand all

Public data assigned to private pointer

Issue

The issue Public data assigned to private pointer occurs when a public member function assigns a public pointer or reference parameter to a private pointer or reference data member. For instance:

class MyClass {
  private:
    std::string& myStringRef;
    std::string* myStringPointer;
  public:
    MyClass(std::string& inputStringRef, std::string* inputStringPointer)
	: myStringRef(inputStringRef), myStringPointer(inputStringPointer) //Noncompliant
	{} 
};
void foo(){
	
	std::string str1{"string ref"};
	std::string str2{"string pointer"};
	MyClass a{str1, &str2};
	str1 = "Changed string";
}

In this class definition, the public constructor function MyClass:;MyClass():

Assigns the reference parameter inputStringRef to the private reference myStringRef.
Assigns the pointer parameter inputStringPointer to the private pointer myStringPointer.

These assignments violate this rule and Polyspace^® reports violations.

Polyspace does not report a violation of this rule for function pointers.

Risk

If you initialize a private pointer or reference data member by using a public parameter, then any function can modify the private data member. In the preceding code, the objects MyClass::myStringRef and MyClass::myStringPointer are private data members. Because MyClass::MyClass() assigns public parameters to private pointer or reference data members, the function foo() can modify these private data members. For instance, str1 = "Changed string" sets the value of a.myStringRef to "Changed string", even though MyClass::myStringRef is a private field.

Fix

Avoid assigning pointer of reference parameters to private pointer or reference data members. For public functions that set private pointers and reference data members, accept parameters by value. If possible, set private pointer and reference data members by using private setter, which can in turn be invoked from methods from a friend method.

Example —Avoid assigning public pointers or references to private pointers or references

In this example, the class MyClass manages the private reference data member myStringRef and the private pointer myStringPointer. In the constructor of MyClass, public parameters are assigned tomyStringRef and myStringPointer. As a result, the assignment operations in foo() changes the value of a.myStringRef and a.myStringPointer. This behavior is unexpected. Polyspace reports a violation of this rule on the declaration of the class constructor.

#include <string>
class MyClass
{
private:
    std::string& myStringRef;
    std::string* myStringPointer;
public:
    MyClass(std::string& inputStringRef, std::string* inSP)
        : myStringRef(inputStringRef), myStringPointer(inSP) //Noncompliant
    {}
};

void foo()
{

    std::string str1{"string ref"};
    std::string str2{"string pointer"};
    MyClass a{str1, &str2};
    str1 = "Changed string";
    str2 = "Another changed string";
}

Correction

To fix the violation:

In MyClass::MyClass(), take the input inputStringRef by value instead of by reference.
Use the private setter function setmyStringPointer() to set the private pointer myStringPointer.

#include <string>
class MyClass {
	friend void foo();
  private:
    std::string& myStringRef;
	std::string* myStringPointer;
	void setmyStringPointer(std::string* inSP){
		myStringPointer=inSP; //Compliant
	}
  public:
    MyClass(std::string inputStringRef)
	: myStringRef(inputStringRef) //Compliant
	{} 
};

void foo(){
	
	std::string str1{"string ref"};
	std::string str2{"string pointer"};
	MyClass a{str1};
	a.setmyStringPointer(&str2);
	str1 = "Changed string";
	str2 = "Another changed string";
}

Check Information

Category: Others

Version History

Introduced in R2023b