SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 39

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 40

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In the presence of a security manager, it is hard for malicious code to exploit Java's security model. For example, instantiating sensitive classes such as a java.lang.ClassLoader is prohibited in the context of a web browser. It is critical to ensure that untrusted code does not indirectly use the privileges of legit code. Failure to do so can leave the code vulnerable to privilege escalation attacks. This is because, classes loaded by the same class loader exist in the same namespace and will have identical privileges. Consider for example, an untrusted method calling a class method which loads classes using its own trusted class loader. This is a problem as untrusted code's class loader may not have the permission to load the particular class. Also, if the trusted code accepts tainted inputs, it is susceptible to exploits resulting from malicious classes getting may be loaded.

The APIs tabulated here below perform tasks using the immediate caller's class loader. They can be exploited if (1) They are invoked indirectly by untrusted code and (2) They accept tainted inputs from untrusted code.

...

Noncompliant Code Example

The untrustedCode() method of class Untrusted invokes the loadLib() method of class NativeCode in this noncompliant code example. This is insecure as the library gets loaded on behalf of the untrusted code. In essence, the untrusted code's class loader may be able to indirectly load the intended library even if it does not have sufficient permissions.

...

Sometimes, a call to System.loadLibrary() is embedded in a doPrivileged block, as shown below. An unprivileged caller can maliciously invoke this piece of code using the same technique.

...

Code Block
bgColor#FFcccc
// className is Foo
Class c = Class.forName(className);

Compliant Solution

Again, limit Limit the visibility of the method that uses this API. Do not operate on tainted inputs. The preceding noncompliant code example can be fixed by hard-coding This compliant solution hardcodes the class's name.

Code Block
bgColor#ccccff
Class c = Class.forName("Foo"); // explicitly hardcode

...

Code Block
public static Class forName(String name,
                            boolean initialize,
                            ClassLoader loader) //* explicitly specify the class loader to use */
                     throws ClassNotFoundException

...