Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup In a Java Virtual Machine (JVM), "Two classes are the same class (and consequently the same type) if they are loaded by the same class loader , and they have the same fully qualified name" \[ [JVMSpec 1999|AA. Bibliography#JVMSpec 99]\]. A class with the same name but a different package name is different, and a class with the same fully qualified name but which has been loaded by a different class loader is also different. Two classes with the same name but different package names are distinct, as are two classes with the same fully qualified name loaded by different class loaders.

It could be necessary to check whether a given object has a specific class type or whether two objects have the same class type associated with them, for example, when implementing the equals() method. If the comparison is performed incorrectly, the code could assume that the two objects are of the same class when they are not. As a result, class names must not be compared.

...

Conversely, the assumption that two classes deriving from the same code base codebase are themselves the same is error - prone. While Although this assumption is commonly observed to be true in desktop applications, it is typically not the case with J2EE servlet containers. The containers can use different class loader instances to deploy and recall applications at runtime , without having to restart the JVM. In such situations, two objects whose classes come from the same code base codebase could appear to the JVM to be two different classes. Also note that the equals() method might not return true when comparing objects originating from the same code basecodebase.

Noncompliant Code Example

This noncompliant code example compares the name of the class (Auth) of object auth to the string "com.application.auth.DefaultAuthenticationHandler" and branches on the result of the comparison.:

Code Block
bgColor#FFCCCC

 // Determine whether object auth has required/expected class nameobject
 if (auth.getClass().getName().equals(
      "com.application.auth.DefaultAuthenticationHandler")) {
   // ...
}

Comparing fully qualified class names is insufficient because distinct class loaders can load differing classes with identical fully qualified names into a single JVM.

Compliant Solution

This compliant solution compares the class object of class Auth to object auth to the class object of the class that the current class loader loads, instead of comparing just the class names.for the canonical default authentication handler:

Code Block
bgColor#ccccff

 // Determine whether object hauth has required/expected class name
 if (auth.getClass() == this.getClass().getClassLoader().loadClass("com.application.auth.DefaultAuthenticationHandler").class) {
   // ...
}

The call to loadClass() returns the class with the specified name in the current name space (consisting of the class name and the defining class loader), and right-hand side of the comparison directly names the class of the canonical authentication handler. In the event that the canonical authentication handler had not yet been loaded, the Java runtime manages the process of loading the class. Finally, the comparison is correctly performed on the two class objects.

...

This noncompliant code example compares the names of the class objects of classes x and y using the equals() method. Again, it is possible that x and y are distinct classes with the same name , if they come from different class loaders.

Code Block
bgColor#FFCCCC

// Determine whether objects x and y have the same class name
if (x.getClass().getName().equals(y.getClass().getName())) {
  // Code assumes that the objects Objects have the same class
}

Compliant Solution

This compliant solution correctly compares the two objects' classes.:

Code Block
bgColor#ccccff

// Determine whether objects x and y have the same class
if (x.getClass() == y.getClass()) {
  // Code determines whether the objectsObjects have the same class
}

Risk Assessment

Comparing classes solely using their names can allow a malicious class to bypass security checks and gain access to protected resources.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

OBJ09-J

high

High

unlikely

Unlikely

low

Low

P9

L2

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Signature String CheckerEnsure that the string representation of a type is properly used for example in Class.forName (see Chapter 13)
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ09.CMPDo not compare Class objects by name
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V6054
SonarQube

Include Page
SonarQube_V
SonarQube_V

S1872Classes should not be compared by name

Related Guidelines

MITRE CWE

CWE-486,

"

Comparison of Classes by Name

"

Bibliography

...

[

[Christudas 2005

AA. Bibliography#Christudas 05]

]

Internals of Java Class Loading

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5f35c3b6-84b6-481c-8fca-fe46349ded1d"><ac:plain-text-body><![CDATA[

[

[JVMSpec 1999

AA. Bibliography#JVMSpec 99

]

]

[

§2.8.1

Class Names

http://java.sun.com/docs/books/jvms/second_edition/html/Concepts.doc.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8fa70e9c-7c7d-4f41-bb9c-b3a9047defb5"><ac:plain-text-body><![CDATA[

[[McGraw 1998

AA. Bibliography#Mcgraw 98]]

Twelve rules for developing more secure Java code

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="adbcf619-d550-409d-b6a0-df5ffed7f63d"><ac:plain-text-body><![CDATA[

[[Wheeler 2003

AA. Bibliography#Wheeler 03]]

[Java

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/java.html] Secure programming for Linux and Unix HOWTO

]]></ac:plain-text-body></ac:structured-macro>

, Class Names

[McGraw 1998]

"Twelve Rules for Developing More Secure Java Code"

[Wheeler 2003]

Java Secure Programming for Linux and UNIX HOWTO


...

Image Added Image Added Image AddedOBJ08-J. Do not expose sensitive private members of an outer class from within a nested class      04. Object Orientation (OBJ)      OBJ10-J. Do not use public static non-final variables