Avoid user-generated class names for reflection

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: java-security/unsafe-reflection

Language: Java

Severity: Error

Category: Security

CWE: 470

Description

Using reflection with class names being manually generated is unsafe and can lead to code injection. The class name must be validated and the program should make sure no malicious class can be loaded at runtime.

Non-Compliant Code Examples

class Test {
    void test() {
        String which = "org.owasp.benchmark.helpers." + props.getProperty("thing");
        System.out.println("foo");
        Class<?> thing = Class.forName(which);
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}

Compliant Code Examples

class Test {
    void test() {
        String which = "org.owasp.benchmark.helpers.MyClass";
        System.out.println("foo");
        Class<?> thing = Class.forName(which);
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: may/unit-testing