In a JVM, a class is identified by its fully qualified class name and its Classloader. A class with the same name but a different package name is different, and a class with the same fully qualified name but which has been loaded with a different Classloader is also different. "Two classes are the same class (and consequently the same type) if they are loaded by the same class loader and they have the same fully qualified name" [[JVMSpec 99]] §2.8.1 Class Names
.
One may frequently want to know whether a given object has a specific class or whether two objects have the same class, for example, in implementing the equals() method. If the comparison is performed incorrectly, your code might assume that two objects are of the same class when they're not.
Depending on the function that this code performs, this might introduce a vulnerability to a mix-and-match attack. An attacker can supply code that is the same name as your class; if you rely on comparing the classname as a string, you might end up believing it is privileged code and granting it undue privileges.
Conversely, the assumption that the same codebase will result in the same class in a JVM is error-prone. While it is usually true for common user applications, it is not the case with J2EE servers like servlet containers, which could use different instances of Classloaders to be able to deploy and recall applications at runtime without restarting the JVM. In such situations, two objects whose classes come from the same codebase could be different classes to the JVM, and it could be confusing to get false from the equals() method on their respective classes.
Noncompliant Code Example
In this noncompliant example, the code compares the name of the class of object h to the string DefaultAuthenticationHandler and proceeds according to whether this comparison succeeds or not.
// determine whether object h has required/expected class name
if (h.getClass().getName().equals("com.example.application.auth.DefaultAuthenticationHandler")) {
// code assumes it's an authorized class
}
The problem with this example is that another class could exist with the same name in the same JVM.
Compliant Solution
This compliant solution compares the class object of h itself to the class object of the class that the current class loader would load with the required name.
// determine whether object h has required/expected class name
if (h.getClass() == this.getClassLoader().loadClass("com.example.application.auth.DefaultAuthenticationHandler")) {
// code determines authorized class loaded by same classloader
}
The call to loadClass() returns the class having the specified name in the current namespace (of the classloader), and the comparison is correctly performed on two class objects.
Noncompliant Code Example
This code compares the names of the two classes of objects x and y and behaves accordingly.
// determine whether objects x and y have same class name
if (x.getClass().getName().equals( y.getClass().getName() )) {
// code assumes objects have same class
}
Compliant Solution
This compliant solution correctly compares the two objects' classes.
// determine whether objects x and y have same class
if (x.getClass() == y.getClass()) {
// code determines whether objects have same class
}
The class objects will only be equal when they have the same class as defined in [[JVMSpec 99]] and repeated above.
Risk Assessment
Incorrectly comparing classes using their names could give an attacker's class undesirable privileges.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
OBJ34- J |
medium |
unlikely |
low |
P6 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[JVMSpec 99]] §2.8.1 Class Names
[[Christudas 05]]
[[Mcgraw 98]]
[[Wheeler 03]] Java
[[MITRE 09]] CWE ID 486 "Comparison of Classes by Name"
OBJ33-J. Limit the extensibility of classes and methods to only trusted subclasses 07. Object Orientation (OBJ) OBJ35-J. Use checked collections against external code