...
This noncompliant code example returns an instance of java.sql.Connection from trusted to untrusted code. Untrusted code that lacks the permissions required to create a SQL connection can bypass these restrictions by using the acquired instance directly.
| Code Block | ||||
|---|---|---|---|---|
| ||||
public Connection getConnection(String url, String username, String password) {
// ...
return DriverManager.getConnection(url, username, password);
}
|
Compliant Solution
Ensure that instances of objects created using the unsafe methods are not returned to untrusted code. It is preferable to reduce the accessibility of methods that perform sensitive operations and define wrapper methods that are accessible from untrusted codeThe getConnection() method is unsafe because it uses the url to indicate a class to be loaded; this class serves as the database driver. This compliant solution prevents a malicious user from supplying their own URL to the database connection; thereby limiting their ability to load untrusted drivers.
| Code Block | ||||
|---|---|---|---|---|
| ||||
private voidString getConnection() { url = // ... conn = DriverManager.getConnection(url,hardwired value public Connection getConnection(String username, String password); // Do what is is required here itself; do not return the connection } public void DoDatabaseOperationWrapper() { // Perform... any checks or validate input getConnection(return DriverManager.getConnection(this.url, username, password); } |
Applicability
Allowing untrusted code to carry out actions using the immediate caller's class loader may allow the untrusted code to execute with the same privileges as the immediate caller.
...