...
This noncompliant code example returns an instance of the immediate caller's class loader to any invoker. A malicious invoker can therefore, obtain the associated class loader using standard APIs such as java.lang.Class.getClassLoader(). Once this is achieved, it is trivial to use Class.forname() to load the malicious class from attacker space or exploit a trusted method that calls Class.newInstance() on an arbitrarily supplied object. Class.newInstance() does not throw any security exception when the class loader is either the same or the delegation ancestor of its immediate caller. (SEC33SEC02-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code)
...
| Wiki Markup |
|---|
\[[SCG 07|AA. Java References#SCG 07]\] Guideline 6-3 Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance |
...
SEC33SEC02-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code 01. Platform Security (SEC) SEC03-J. Do not allow tainted parameters while using APIs that perform access checks against the immediate caller