SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 17

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 18

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The createInstance method is the immediate caller of java.lang.Class.newInstance <TO BE CONFIRMED> in this noncompliant example. The newInstance method is being invoked on the dateClass class object. The issue is that the untrustedCode method can trigger the instantiation of a new class even though it should not have the permission to do so. This behavior is not caught by the security manager.

Code Block
bgColor#FFcccc
import java.util.Date;

public class ExceptionExample
{
    public static void untrustedCode()
    {
    	 Date now = new Date();
         Class<?> dateClass = now.getClass();
         createInstance(dateClass);
    }

    public static void createInstance(Class<?> dateClass)
    {
        try
        {   // Create another Date object using the Date Class
            Object o = dateClass.newInstance();
            if (o instanceof Date)
            {
                Date d = (Date)o;
                System.out.println("The time is: " + d.toString());
             }
        }
        catch (InstantiationException ie) { System.out.println(ie.toString()); }
        catch (IllegalAccessException iae) { System.out.println(iae.toString()); }    	
    }
}

...