Page History

It is possible to access fields and methods of another object from a given object. Language access checks are enforced by the JVM to ensure policy compliance, while doing so. For instance, although an object is not normally allowed to access private members or invoke methods of another class, the APIs belonging to the java.lang.reflect package allow an object to do so contingent upon performing the mirrored language access checks.

...

import java.lang.reflect.Field;
public class reflectionReflectionExample {

  public static void makeAccessible(String fieldName) {
    C c = new C();
    try {
	Field f = c.getClass().getDeclaredField(fieldName);
	System.out.println(f.isAccessible());
	f.setAccessible(true);
	System.out.println(f.isAccessible());
	System.out.println(f.getInt(c));
    }
    catch(NoSuchFieldException nsfa){}
    catch(IllegalAccessException iae) {}
  }
}

class C {
  private int i = 10;
}

...

Avoid invoking affected APIs on Class, Constructor, Field or Method instances passed in from untrusted code. Even when the instances are acquired safely, do not use tainted inputs provided by untrusted code. Likewise, do not return values to the untrusted caller. The table below lists the APIs that should be used with care.

References

...

Risk Assessment

TODO

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

...

Wiki Markup
\[[Chan 99|AA. Java References#Chan 99]\] java.lang.reflect AccessibleObject \[[SCG 07|AA. Java References#SCG 07]\] Guideline 6-4 Be aware of standard APIs that perform Java language access checks against the immediate caller

TODO