...
The noncompliant code example shows the code associated with initialization of a new Digester
instance in the org.apache.catalina.startup.ContextConfig
class. "A Digester
processes an XML input stream by matching a series of element nesting patterns to execute Rules that have been added prior to the start of parsing" [Tomcat 2009]. The code to initialize the Digester
follows:
...
The underlying problem is that the newInstance()
method is being invoked on behalf of a web application's class loader, the WebappClassLoader
, and it loads classes before Tomcat has loaded all the classes it needs. If a web application has loaded its own Trojan javax.xml.parsers.SAXParserFactory
, when Tomcat tries to access a SAXParserFactory
, it accesses the Trojan SaxParserFactory
installed by the web application rather than the standard Java SAXParserFactory
that Tomcat depends on.
Note that the Class.newInstance()
method requires the class to contain a no-argument constructor. If this requirement is not satisfied, a runtime exception results, which indirectly prevents a security breach.
Compliant Solution (Tomcat)
...
The webDigester
is also declared final. This prevents any subclasses from assigning a new object reference to webDigester
. (See rule OBJ10-J. Do not use public static nonfinal variablesfields for more information.) It also prevents a race condition where another thread could access webDigester
before it is fully initialized. (See rule OBJ11-J. Be wary of letting constructors throw exceptions for more information.)
...
Even if the Tomcat server continues to use the WebappClassLoader
to create the parser instance when attempting to process the web.xml
and other files, the explicit call to getParser()
in init()
ensures that the default parser has been set during prior initialization and cannot be replaced. Because this is a one-time setting, future attempts to change the parser are futile.
Note that the Class.newInstance()
method requires the class to contain a no-argument constructor. If this requirement is not satisfied, a runtime exception results, which indirectly prevents a security breach.
Risk Assessment
Allowing untrusted code to load classes enables untrusted code to replace benign classes with Trojan classes.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SEC03-J | high | probable | medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Parasoft Jtest | 9.5 | CERT.SEC03.ACL | Do not access the class loader in a web component |
Related Guidelines
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 6-3. Safely invoke standard APIs that bypass |
Android Implementation Details
On Android, the use of DexClassLoader
or PathClassLoader
requires caution.
Bibliography
[CVE 2011] | |
Section 4.3.2, Class Loader Delegation Hierarchy | |
[JLS 2005] | §4.3.2, The Class |
Bug ID 29936, API Class |
...
...