Usage of External Input in Code Reflection

Overview

• Rule ID: java_lang_reflection_using_user_input

• Applicable Languages: Java

• Weakness ID: CWE-470

Description

Using external input for dynamic class loading or executing code via reflection presents a major security risk. Attackers can exploit this practice to load malicious classes or execute harmful methods, leading to potential remote code execution and other serious security threats.

Remediation Guidelines

• Avoid using external input with code reflection whenever possible. Steering clear of this practice greatly reduces the risk of executing unauthorized or malicious code.

• Limit the allowed class names and method names to a predefined safelist. This strategy restricts the range of classes and methods that can be dynamically accessed, minimizing the risk of unauthorized actions.

• Sanitize external input by removing special and unexpected characters that could enable code injection attacks. Characters like single or double quotation marks and backslashes are particularly dangerous and should be filtered out.

References

• CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL