Avoid user-generated class names for reflection

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: java-security/unsafe-reflection

Language: Java

Severity: Error

Category: Security

CWE: 470

Description

Using reflection with class names being manually generated is unsafe and can lead to code injection. The class name must be validated and the program should make sure no malicious class can be loaded at runtime.

Non-Compliant Code Examples

class Test {
    void test() {
        String which = "org.owasp.benchmark.helpers." + props.getProperty("thing");
        System.out.println("foo");
        Class<?> thing = Class.forName(which);
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}

Compliant Code Examples

class Test {
    void test() {
        String which = "org.owasp.benchmark.helpers.MyClass";
        System.out.println("foo");
        Class<?> thing = Class.forName(which);
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis