Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example returns an instance of the immediate caller's class loader to any invoker. A malicious invoker can therefore, obtain the associated class loader using standard APIs such as java.lang.Class.getClassLoader(). Once this is achieved, it is trivial to use Class.forname() to load the malicious class from attacker space or exploit a trusted method that calls Class.newInstance() on an arbitrarily supplied object. Class.newInstance() does not throw any security exception when the class loader is either the same or the delegation ancestor of its immediate caller.

Code Block
bgColor#FFcccc
private Class doLogic() {
  ClassLoader myLoader = new myClassLoader();
  Class myClass = myLoader.loadClass("MyClass");
  return myClass; // returns Class instance to untrusted code
}

...