In the presence of a security manager, it is hard for malicious code to exploit Java's security model. For example, instantiating sensitive classes such as java.lang.ClassLoader is prohibited in the context of a web browser. It is critical to ensure that untrusted code does not indirectly use the privileges of legit code that is allowed to instantiate and use sensitive classes. Failure to do so can leave the code vulnerable to privilege escalation attacks. This is because, classes loaded by the same class loader exist in the same namespace and have identical privileges. Consider for example, an untrusted method calling a class method which loads classes using its own trusted class loader. This is a problem as untrusted code's class loader may not have the permission to load the particular class. Also, if the trusted code accepts tainted inputs, malicious classes may be loaded.
The APIs tabulated below perform tasks using the immediate caller's class loader. They can be exploited if (1) They are invoked indirectly by untrusted code and/or (2) They accept tainted inputs from untrusted code.
...
The untrustedCode() method of class Untrusted invokes the loadLib() method of class NativeCode in this noncompliant code example. This is insecure as the library gets is loaded on behalf of untrusted code. In essence, the untrusted code's class loader may be able to indirectly load the intended library even if it does not have sufficient permissions.
...
Non-native library code can also be susceptible to related security flaws. Loading a non-native safe library, by itself may not expose a vulnerability but after loading an unsafe library, an attacker can easily exploit it if it contains other vulnerabilities. Moreover, non-native libraries often make use of doPrivileged blocks, making them a lucrative target.
...
| Code Block | ||
|---|---|---|
| ||
Class c = Class.forName("Foo"); // explicitlyExplicitly hardcode
|
Noncompliant Code Example
...
| Code Block | ||
|---|---|---|
| ||
private Class doLogic() {
ClassLoader myLoader = new myClassLoader();
Class myClass = myLoader.loadClass("MyClass");
return myClass; // returnsReturns Class instance to untrusted code
}
|
...
| Code Block | ||
|---|---|---|
| ||
private void doLogic() {
ClassLoader myLoader = new myClassLoader();
Class myClass = myLoader.loadClass("MyClass");
// doDo what is is required here itself; do not return myClass
}
|
...