SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 80

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

...

Basing security checks on untrusted sources can result in the check being bypassed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC02-J

High

Probable

Medium

P12

L1

Automated Detection

Tool
Version
Checker
Description
Coverity7.5UNSAFE_REFLECTIONImplemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.SEC02.TDRFLProtect against Reflection injection

Related Guidelines

ISO/IEC TR 24772:2010

Authentication Logic Error [XZO]

MITRE CWE

CWE-302, Authentication Bypass by Assumed-Immutable Data
CWE-470, Use of Externally-Controlled Input to Select Classes or Code ("Unsafe Reflection")

Android Implementation Details

The code examples using the java.security package are not applicable to Android, but the principle of the rule is applicable to Android apps.

Bibliography

[Sterbenz 2006]

...


...

Image Modified