Page History

...

Comparing classes solely using their names can allow a malicious class to bypass security checks and gain access to protected resources.

Rule	Severity	Likelihood	Detectable	RepairableRemediation Cost	Priority	Level
OBJ09-J	High	Unlikely	Yes	LowNo	P9P6	L2

Automated Detection

SECURITYEAB

Tool

Version

Checker

Description

The Checker Framework

Include Page

	The Checker Framework_V
	The Checker Framework_V

Signature String Checker

Ensure that the string representation of a type is properly used for example in Class.forName (see Chapter 13)

CodeSonar Klocwork

Include Page

CodeSonar

	Klocwork_V

CodeSonar

	Klocwork_V

FB.CORRECTNESS.EQ_COMPARING_CLASS_NAMES

equals method compares class names rather than class objects

CMP.CLASS

Parasoft Jtest

Include Page

	Parasoft_V
	Parasoft_V

CERT.

OBJ09.CMP

Do not compare Class objects by name

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V6054

SonarQube

Include Page

	SonarQube_V
	SonarQube_V

S1872

Classes should not be compared by name

Related Guidelines

MITRE CWE

CWE-486, Comparison of Classes by Name

...

Space shortcuts

Page tree

Versions Compared

Old Version 136

New Version Current

Key

Automated Detection

Related Guidelines