Main Content

CWE Rule 493

Critical Public Variable Without Final Modifier

Since R2023b

expand all in page

Description

Rule Description

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

Polyspace Implementation

The rule checker checks for then issue Critical public variable not const.

Examples

expand all

Issue

The issue Critical public variable not const occurs when all these conditions are true:

Risk

The behavior of your code might depend on the values of critical variables. If such variables are public and non-const, then any function can change their values. Such mutable critical public variables make the code vulnerable to malicious attacks. Because the behavior of code depends on the value of such critical variables, unexpected change in their values can result in unexpected behavior. Consider this code:

class myApp{
//...
public:
std::string config = 'myAppRoot/resource/config.dat';
};
Here, the critical variable config stores the path to a specific file that is used in other parts of the code. Because config is public and non-const, it is vulnerable to malicious attacks. Unexpected change to the value of config results in unexpected behavior from your code.

Fix

If you specify a public variable as critical, declare it in your code as const. For instance, to fix the violation in the preceding code, declare config as const.

class myApp{
//...
public:
std::string const config = 'myAppRoot/resource/config.dat';
};

Extend Checker

This defect checker requires a list of critical data members to be externally specified. Even if you enable checking of CWE rules, this checker is not enabled unless you also specify a list of critical data members. See Modify Bug Finder Checkers Through Code Behavior Specifications.

Example — Declare Critical Public Variables as const

In this example, the class myApplication contains three critical public variables. These critical public variables are specified in the code behavior specification XML file.

  • Code behavior specification XML file:

    <specifications>
  <members>
    <member name="password" kind="variable">
      <behavior name="CRITICAL_DATA"/>
    </member>
    <member name="username" kind="variable">
      <behavior name="CRITICAL_DATA"/>
    </member>
    <member name="config" kind="variable">
      <behavior name="CRITICAL_DATA"/>
    </member>
  </members>
</specifications>

  • myApplication:

     class myApplication {
public:
    char* NotCritical; //Compliant
	char* config;      //Noncompliant
private:
   const char* password; //Compliant         
   char* username;       //Compliant  
};

Because you declare the critical variable config as public and non-const, Polyspace® reports a violation of this rule. The critical variables password and username are compliant with this rule because you declare them as private.

Check Information

Category: Others

Version History

Introduced in R2023b

See Also

Topics

External Websites