...
The permission ReflectPermission with action suppressAccessChecks should also not be granted so that the security manager blocks attempts to access private fields of other classes. (See SEC32-J. Do not grant ReflectPermission with action suppressAccessChecks)
Noncompliant Code Example
This noncompliant code example accepts an instance of java.lang.Class from untrusted code. No language access checks are carried out against this instance but instead, with the immediate caller of getInstance(). This allows an attacker to let trusted code interleave with malicious code.
| Code Block | ||
|---|---|---|
| ||
public static void makeAccessible(Class c, String fieldName) {
try {
// ...
System.out.println(f.getInt(c)); // unsafe!
}
// ...
}
|
Compliant Solution
Avoid invoking affected APIs on Class, Constructor, Field or Method instances obtained from untrusted code. This can be done by explicitly instantiating the class within the makeAccessible method.
| Code Block | ||
|---|---|---|
| ||
public static void makeAccessible() {
Class c = new C();
String fieldName = "i";
try {
// ...
System.out.println(f.getInt(c)); // unsafe!
}
// ...
}
|
Risk Assessment
Misuse of APIs that perform language access checks against the immediate caller only, can break data encapsulation.
...