SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 84

changes.mady.by.user Derek Leung

Saved on

compared with

New Version 85

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2020.2

...

Basing security checks on untrusted sources can result in the check being bypassed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SEC02-J

High

Probable

Medium

P12

L1

Automated Detection

Tool
Version
Checker
Description
Coverity7.5UNSAFE_REFLECTIONImplemented
Parasoft Jtest
Include Page
java:
Parasoft_V
java:
Parasoft_V
BD.SECURITY.TDRFL
Implemented
Protect against Reflection injection

Related Guidelines

ISO/IEC TR 24772:2010

Authentication Logic Error [XZO]

MITRE CWE

CWE-302, Authentication Bypass by Assumed-Immutable Data
CWE-470, Use of Externally-Controlled Input to Select Classes or Code ("Unsafe Reflection")

Android Implementation Details

The code examples using the java.security package are not applicable to Android, but the principle of the rule is applicable to Android apps.

Bibliography

[Sterbenz 2006]

...


...