Avoid user-generated class names for reflection

Metadata

ID: java-security/unsafe-reflection

Language: Java

Severity: Error

Category: Security

Description

Using reflection with class names being manually generated is unsafe and can lead to code injection. The class name must be validated and the program should make sure no malicious class can be loaded at runtime.

Non-Compliant Code Examples

class Test {
    void test() {
        String which = "org.owasp.benchmark.helpers." + props.getProperty("thing");
        System.out.println("foo");
        Class<?> thing = Class.forName(which);
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}

Compliant Code Examples

class Test {
    void test() {
        String which = "org.owasp.benchmark.helpers.MyClass";
        System.out.println("foo");
        Class<?> thing = Class.forName(which);
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}