SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 20

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 21

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added exception

...

Ensure that untrusted code cannot invoke the affected APIs directly or indirectly (that is, via a call to an invoking method). Do not operate on tainted inputs and make sure that internal objects are not returned to untrusted code.

Exceptions

EX1: It is permissible to use APIs that do not use the immediate caller's class loader instance. For example, the three-argument {java.lang.Class.forName() method requires an explicit argument that specifies the class loader instance to use.

Code Block

public static Class forName(String name,
                            boolean initialize,
                            ClassLoader loader) // explicitly specify the class loader to use
                     throws ClassNotFoundException

Risk Assessment

Allowing untrusted code to load libraries using the immediate caller's class loader may seriously compromise the security of a java application.

...