CWE Rule 493
Description
Rule Description
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
Polyspace Implementation
The rule checker checks for then issue Critical public variable
not const.
Examples
The issue Critical public variable not
const occurs when all these conditions are true:
You specify a variable as critical by using the option
-code-behavior-specifications. See Specifying Critical Data Members.You declare the critical variable as
public.You do not specify the critical variable as
const.
The behavior of your code might depend on the values of critical variables. If such
variables are public and non-const, then any function can change their
values. Such mutable critical public variables make the code vulnerable to malicious
attacks. Because the behavior of code depends on the value of such critical variables,
unexpected change in their values can result in unexpected behavior. Consider this
code:
class myApp{
//...
public:
std::string config = 'myAppRoot/resource/config.dat';
};config stores the path
to a specific file that is used in other parts of the code. Because
config is public and non-const, it is vulnerable
to malicious attacks. Unexpected change to the value of config results
in unexpected behavior from your code.If you specify a public variable as critical, declare it in your code as
const. For instance, to fix the violation in the preceding code,
declare config as
const.
class myApp{
//...
public:
std::string const config = 'myAppRoot/resource/config.dat';
};This defect checker requires a list of critical data members to be externally specified. Even if you enable checking of CWE rules, this checker is not enabled unless you also specify a list of critical data members. See Modify Bug Finder Checkers Through Code Behavior Specifications.
constIn this example, the class myApplication contains three critical
public variables. These critical public variables are specified in the code behavior
specification XML file.
Code behavior specification XML file:
<specifications> <members> <member name="password" kind="variable"> <behavior name="CRITICAL_DATA"/> </member> <member name="username" kind="variable"> <behavior name="CRITICAL_DATA"/> </member> <member name="config" kind="variable"> <behavior name="CRITICAL_DATA"/> </member> </members> </specifications>myApplication:class myApplication { public: char* NotCritical; //Compliant char* config; //Noncompliant private: const char* password; //Compliant char* username; //Compliant };
Because you declare the critical variable config as
public and non-const, Polyspace® reports a violation of this rule. The critical variables
password and username are compliant with this rule
because you declare them as private.
Check Information
| Category: Others |
Version History
Introduced in R2023b
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Website auswählen
Wählen Sie eine Website aus, um übersetzte Inhalte (sofern verfügbar) sowie lokale Veranstaltungen und Angebote anzuzeigen. Auf der Grundlage Ihres Standorts empfehlen wir Ihnen die folgende Auswahl: .
Sie können auch eine Website aus der folgenden Liste auswählen:
So erhalten Sie die bestmögliche Leistung auf der Website
Wählen Sie für die bestmögliche Website-Leistung die Website für China (auf Chinesisch oder Englisch). Andere landesspezifische Websites von MathWorks sind für Besuche von Ihrem Standort aus nicht optimiert.
Amerika
- América Latina (Español)
- Canada (English)
- United States (English)
Europa
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)