---
title: Avoid user-generated class names for reflection
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid user-generated class names for reflection
---

# Avoid user-generated class names for reflection

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `java-security/unsafe-reflection`

**Language:** Java

**Severity:** Error

**Category:** Security

**CWE**: [470](https://cwe.mitre.org/data/definitions/470.html)

## Description{% #description %}

Using reflection with class names being manually generated is unsafe and can lead to code injection. The class name must be validated and the program should make sure no malicious class can be loaded at runtime.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```java
class Test {
    void test() {
        String which = "org.owasp.benchmark.helpers." + props.getProperty("thing");
        System.out.println("foo");
        Class<?> thing = Class.forName(which);
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```java
class Test {
    void test() {
        Class<?> thing = Class.forName("org.owasp.benchmark.helpers.MyClass");
        Constructor<?> thingConstructor = thing.getConstructor();
    }
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}