Usage of dangerous permissions

Overview

• Rule ID: java_lang_dangerous_permissions

• Applicable Languages: Java

• Weakness ID: CWE-269

Description

Granting certain dangerous permissions compromises application security. For example, allowing the RuntimePermission of createClassLoader can enable unauthorized class loaders to load arbitrary classes. Similarly, permitting the ReflectPermission of suppressAccessChecks bypasses Java language access controls, potentially allowing unrestricted access to protected and private class members.

Remediation Guidelines

• Do not grant RuntimePermission("createClassLoader"), as this permission allows the instantiation of unauthorized class loaders, posing a security risk by potentially loading arbitrary classes.

• Similarly, avoid granting ReflectPermission("suppressAccessChecks"), which bypasses Java's access controls and can lead to unrestricted access to protected and private class members.

• Do Review and restrict permissions to only those necessary for the application's functionality. Limiting permissions minimizes potential security vulnerabilities.

References

• CWE-269: Improper Privilege Management

• OWASP Top 10: A04:2021 - Insecure Design

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL