Page History

...

Comparing classes solely using their names can allow a malicious class to bypass security checks and gain access to protected resources.

Rule	Severity	Likelihood

Remediation Cost

Detectable	Repairable	Priority	Level
OBJ09-J	High	Unlikely

Low

Yes

No

P9

P6

L2

Automated Detection

Tool

Version

Checker

Description

The Checker Framework

Include Page

	The Checker Framework_V
	The Checker Framework_V

Signature String Checker

Ensure that the string representation of a type is properly used for example in Class.forName (see Chapter 13)

Klocwork

Include Page

	Klocwork_V
	Klocwork_V

CMP.CLASS

Parasoft Jtest

9.5SECURITY.EAB.CMPImplementedSonarQube Java Plugin

Include Page

	Parasoft_V
	Parasoft_V

CERT.OBJ09.CMP

Do not compare Class objects by name

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V6054

SonarQube

Include Page

	SonarQube

Java Plugin

_V
	SonarQube

Java Plugin

_V

S1872

Implemented

Classes should not be compared by name

Related Guidelines

MITRE CWE

CWE-486, Comparison of Classes by Name

Bibliography

[Christudas 2005]	Internals of Java Class Loading
[JVMSpec 1999]	§2.8.1, Class Names
[McGraw 1998]	"Twelve Rules for Developing More Secure Java Code"
[Wheeler 2003]	Java Secure Programming for Linux and UNIX HOWTO

...

Space shortcuts

Page tree

Versions Compared

Old Version 124

New Version Current

Key

Automated Detection

Related Guidelines

Bibliography