CWE-767¶
Access to Critical Private Variable via Public Method. [Permission-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime]
Required inputs: IR
Demonstrative Examples
Example 1
The following example declares a critical variable to be private, and then allows the variable to be modified by public methods.
Example Language:C++
private: float price;
public: void changePrice(float newPrice) {
price = newPrice;
}
Example 2
The following example could be used to implement a user forum where a single user (UID) can switch between multiple profiles (PID).
Example Language:Java (Unsupported language for documentation only)
public class Client {
private int UID;
public int PID;
private String userName;
public Client(String userName){
PID = getDefaultProfileID();
UID = mapUserNametoUID( userName );
this.userName = userName;
}
public void setPID(int ID) {
UID = ID;
}
}
The programmer implemented setPID with the intention of modifying the PID variable, but due to a typo. accidentally specified the critical variable UID instead. If the program allows profile IDs to be between 1 and 10, but a UID of 1 means the user is treated as an admin, then a user could gain administrative privileges as a result of this typo.
Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.Possible Messages
Key |
Text |
Severity |
Disabled |
|---|---|---|---|
critical_field_write |
Critical private field must not be written to in a public method. |
None |
False |
Options¶
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
critical_field_patterns¶
critical_field_patterns : set[bauhaus.analysis.config.SearchPattern] = {'pass_?[word|key]', 'user_?name'}