...
| Wiki Markup |
|---|
According to the Java Language Specification \[[JLS 05|AA. Java References#JLS 05]\] section 4.3.2 ""The Class {{Object}}"": ""The method {{getClass}} returns the {{Class}} object that represents the class of the object"". The first ten methods shown below can be used on a {{Class}} object. |
...
| Code Block | ||
|---|---|---|
| ||
public class ExceptionExample {
public static void untrustedCode() {
Date now = new Date();
Class<?>Class<?> dateClass = now.getClass();
createInstance(dateClass);
}
public static void createInstance(Class<?>Class<?> dateClass) {
try { // Create another Date object using the Date Class
Object o = dateClass.newInstance();
if (o instanceof Date) {
Date d = (Date)o;
System.out.println(""The time is: "" + d.toString());
}
}
catch (InstantiationException ie) { System.out.println(ie.toString()); }
catch (IllegalAccessException iae) { System.out.println(iae.toString()); }
}
}
|
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Gong 03|AA. Java References#Gong 03]\] Section 4.3.2, Class Loader Delegation Hierarchy \[[SCG 07|AA. Java References#SCG 07]\] Guideline 6-2 Safely invoke standard APIs that bypass SecurityManager checks depending on the immediate caller's class loader |
...
SEC01-J. Provide sensitive mutable classes with unmodifiable wrappers 02. Platform Security (SEC) SEC03-J. Do not use APIs that perform access checks against the immediate caller