SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 132

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 133

changes.mady.by.user Alexandre GIGLEUX

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Comparing classes solely using their names can allow a malicious class to bypass security checks and gain access to protected resources.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

OBJ09-J

High

Unlikely

Low

P9

L2

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Signature String CheckerEnsure that the string representation of a type is properly used for example in Class.forName (see Chapter 13)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
FB.CORRECTNESS.EQ_COMPARING_CLASS_NAMES
equals method compares class names rather than class objects
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
SECURITY.EAB.CMPImplemented
SonarQube
Include Page
SonarQube_V
SonarQube_V
S1872
 
Classes should not be compared by name

Related Guidelines

MITRE CWE

CWE-486, Comparison of Classes by Name

Bibliography

[Christudas 2005]

Internals of Java Class Loading

[JVMSpec 1999]

§2.8.1, Class Names

[McGraw 1998]

"Twelve Rules for Developing More Secure Java Code"

[Wheeler 2003]

Java Secure Programming for Linux and UNIX HOWTO

...


...