SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 132

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Comparing classes solely using their names can allow a malicious class to bypass security checks and gain access to protected resources.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

OBJ09-J

High

Unlikely

Yes
Low

No

P9

P6

L2

Automated Detection

ToolVersionCheckerDescription
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Signature String CheckerEnsure that the string representation of a type is properly used for example in Class.forName (see Chapter 13)
CodeSonar
Klocwork

Include Page

CodeSonar

Klocwork_V

CodeSonar

Klocwork_V

FB.CORRECTNESS.EQ_COMPARING_CLASS_NAMES
equals method compares class names rather than class objects
CMP.CLASS
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
SECURITY
CERT.
EAB
OBJ09.CMP
Implemented
Do not compare Class objects by name
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V6054
SonarQube

Include Page
SonarQube_V
SonarQube_V

S1872
 
Classes should not be compared by name

Related Guidelines

MITRE CWE

CWE-486, Comparison of Classes by Name

Bibliography

[Christudas 2005]

Internals of Java Class Loading

[JVMSpec 1999]

§2.8.1, Class Names

[McGraw 1998]

"Twelve Rules for Developing More Secure Java Code"

[Wheeler 2003]

Java Secure Programming for Linux and UNIX HOWTO

...


...