...
Sometimes it is desirable to check whether a given object has a specific class type or whether two objects have the same class type associated with them, for example, when implementing the equals() method. If the comparison is performed incorrectly, the code might assume that the two objects are of the same class whilst when they 're are not.
Depending on the function that the insecure code performs, it may be vulnerable to a mix-and-match attack. An attacker may supply a malicious class with the same fully qualified name as the target class. If access to a critical resource is granted based on comparison of class names alone, the malicious class may end up with more privileges than it requiresis warranted.
Conversely, the assumption that two classes deriving from the same codebase will result in are themselves the same class in a JVM is error-prone. While the misleading this assumption is commonly observed to be true in desktop applications, it is typically this is not the case with J2EE servlet containers. The containers may use different class loader instances to deploy and recall applications at runtime, without having to restart the JVM. In such situations, two objects, whose classes come from the same codebase, may appear to the JVM to be two different classes. Also note that the equals() method may not return true when comparing objects originating from the same codebase.
...
| Code Block | ||
|---|---|---|
| ||
// Determine whether object auth has required/expected class name
if (auth.getClass().getName().equals("com.application.auth.DefaultAuthenticationHandler")) {
// ...
}
|
The main issue is that another class Multiple classes may exist with the same name in the JVM; consequently this is not a valid comparison.
Compliant Solution
This compliant solution compares the class object of class Auth to the class object of the class that the current class loader loads, instead of comparing just the class names.
...
This noncompliant code example compares the names of the class objects of classes x and y using the equals() method. Again, it is possible that x and y are distinct classes with the same name, if they come from different class loaders.
| Code Block | ||
|---|---|---|
| ||
// Determine whether objects x and y have the same class name
if (x.getClass().getName().equals(y.getClass().getName())) {
// Code assumes that the objects have the same class
}
|
...
Comparing classes using their names may give an attacker supplied class undesirable allow a malicious class to gain elevated privileges.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ06-J | high | unlikely | low | P9 | L2 |
...