SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 89

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 90

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed to Applicability

...

Code Block
bgColor#ccccff
private void getConnection() {
 // ...
 conn = DriverManager.getConnection(url, username, password);
 // Do what is is required here itself; do not return the connection
}
public void DoDatabaseOperationWrapper() {
  // Perform any checks or validate input
  getConnection();
}

Exceptions

Applicability

Allowing untrusted code to carry out actions using the immediate caller's class loader may allow the untrusted code to execute with the same privileges as the immediate caller.

SEC53-EX0: It is permissible to use APIs that do not use the immediate caller's class loader instance. For example, the three-argument java.lang.Class.forName() method requires an explicit argument that specifies the class loader instance to use. Do not use the immediate caller's class loader as the third argument if instances must be returned to untrusted code.

Code Block
public static Class forName(String name,
                            boolean initialize,
                            ClassLoader loader) /* explicitly specify the class loader to use */
                     throws ClassNotFoundException

Risk Assessment

Allowing untrusted code to carry out actions using the immediate caller's class loader may allow the untrusted code to execute with the same privileges as the immediate caller.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SEC53-JG

high

probable

medium

P12

L1

Automated Detection

Automated detection is not feasible.

Related Vulnerabilities

...

Bibliography
[SCG 2010] Guideline 9-9: Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance
...
Image Modified