...
The following table lists the APIs that should be used with care [SCG 2009].
APIs That Mirror Language Checks |
|---|
|
|
|
|
|
|
|
|
Because the setAccessible() and getAccessible() methods of class java.lang.reflect.Field are used to instruct the JVM to override the language access checks, they perform standard (and more restrictive) security manager checks and consequently lack the vulnerability discussed in this rule. Nevertheless, these methods should be used only with extreme caution. The remaining set*() and get*() field reflection methods perform only the language access checks and are vulnerable.
...
Misuse of APIs that perform language access checks only against the immediate caller can break data encapsulation, leak sensitive information, or permit privilege escalation attacks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC05-J | High | Probable | Medium | P12 | L1 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.CLASS.ACCESS.BYPASS | Reflection Bypasses Member Accessibility (Java) | ||||||
| Parasoft Jtest |
|
|
|
| CERT. |
| SEC05.ARM | Avoid using reflection methods | ||||||||
| SonarQube |
| Changing or bypassing accessibility is security-sensitive | |||||||
| SpotBugs |
| REFL_REFLECTION_INCREASES_ACCESSIBILITY_OF_CLASS | Implemented (since 4.5.0) |
Related Guidelines
Guideline 9-10 / ACCESS-10: Be aware of standard APIs that perform Java language access checks against the immediate caller |
Android Implementation Details
Reflection can be used on Android, so this rule is applicable. Also, the use of reflection may allow a developer to access private Android APIs and so requires caution.
Bibliography
|
...
...