SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 127

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 128

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

However, certain methods use a reduced security check that checks only that the calling method has access rather than checking every method in the call stack. Code that invokes these methods must guarantee that they are not being cannot be invoked on behalf of untrusted code. These methods are listed in the following table.

...

Several methods which are charged with loading classes delegate their work to the class loader of the class of the method that called them. The security checks associated with loading classes are often performed by class loaders. Consequently, any method that invokes one of these class-loading methods must guarantee that these methods are not acting cannot act on behalf of untrusted code. These methods are listed in the following table.

...

Compliant Solution

The getConnection() method above is unsafe because it uses the url argument to indicate a class to be loaded; this class serves as the database driver. This compliant solution prevents malicious users from supplying their own URL to the database connection, thereby limiting their ability to load untrusted drivers.

...

This method delegates the task of dynamically loading the specified class to the Class.forName() method. The forName() method delegates the work of loading the class to its calling method's class loader. Since Because the calling method is MBeanInstantiator.loadClass(), the core class loader is used, which provides no security checks.

...

Allowing untrusted code to invoke methods with reduced security checks can grant excessive abilities to malicious code. Likewise, allowing untrusted code to carry out actions using the immediate caller's class loader may allow the untrusted code to execute with the same privileges as the immediate caller.

This guideline does not apply to methods that do not use Methods that avoid using the immediate caller's class loader instance fall outside the scope of this guideline. For example, the three-argument java.lang.Class.forName() method requires an explicit argument that specifies the class loader instance to use. Do not use the immediate caller's class loader as the third argument when instances must be returned to untrusted code.

...