...
Allowing untrusted code to load classes enables untrusted code to replace benign classes with Trojan classes.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SEC03-J | high | probable | medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Parasoft Jtest | 9.5 |
CERT. |
SEC03.ACL |
Do not access the class loader in a web component |
Related Guidelines
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 6-3. Safely invoke standard APIs that bypass |
Android Implementation Details
On Android, the use of DexClassLoader
or PathClassLoader
requires caution.
Bibliography
[CVE 2011] | |
Section 4.3.2, Class Loader Delegation Hierarchy | |
[JLS 2005] | §4.3.2, The Class |
Bug ID 29936, API Class |
...
...