Avoid user-generated class names for reflection このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください 。
このルールを試す ID: java-security/unsafe-reflection
Language: Java
Severity: Error
Category: Security
CWE : 470
Description Using reflection with class names being manually generated is unsafe and can lead to code injection. The class name must be validated and the program should make sure no malicious class can be loaded at runtime.
Non-Compliant Code Examples class Test {
void test () {
String which = "org.owasp.benchmark.helpers." + props . getProperty ( "thing" );
System . out . println ( "foo" );
Class <?> thing = Class . forName ( which );
Constructor <?> thingConstructor = thing . getConstructor ();
}
}
Compliant Code Examples class Test {
void test () {
String which = "org.owasp.benchmark.helpers.MyClass" ;
System . out . println ( "foo" );
Class <?> thing = Class . forName ( which );
Constructor <?> thingConstructor = thing . getConstructor ();
}
}
Seamless integrations. Try Datadog Code Analysis