...
Depending on the function that the insecure code performs, it may be vulnerable to a mix-and-match attack. An attacker may supply a malicious class with the same name as the target class. If it is just the class names that are compared to grant access to a critical resource is granted based on comparison of class names alone, the malicious class may end up with more privileges than it requires.
...
This noncompliant code example compares the name of the class (Auth) of object h auth to the string DefaultAuthenticationHandler and proceeds depending on the result of the comparison.
| Code Block | ||
|---|---|---|
| ||
// Determine whether object hauth has required/expected class name if (hauth.getClass().getName().equals("com.application.auth.DefaultAuthenticationHandler")) { // ... } |
...
This compliant solution compares the class object of class h Auth to the class object of the class that the current class loader loads, instead of comparing just the class names.
...
The call to loadClass() returns the class having the specified name in the current namespace (consisting of the class name and the defining classloader), and the comparison is correctly performed on the two class objects.
...
| Code Block | ||
|---|---|---|
| ||
// Determine whether objects x and y have the same class name if (x.getClass().getName().equals( y.getClass().getName() )) { // Code assumes that the objects have the same class } |
...