...
Comparing classes solely using their names can allow a malicious class to bypass security checks and gain access to protected resources.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
OBJ09-J | High | Unlikely | Yes | NoLow | P9P6 | L2 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Signature String Checker | Ensure that the string representation of a type is properly used for example in Class.forName (see Chapter 13) | ||||||
| Klocwork |
| CMP.CLASS | |||||||
| Parasoft Jtest |
| CERT.OBJ09.CMP | Do not compare Class objects by name | ||||||
| PVS-Studio |
| V6054 | |||||||
| SonarQube |
| S1872 | Classes should not be compared by name |
...