CMP.CLASS
This error appears when the program attempts to compare two objects' classnames to see whether they are the same. It can also appear if an object has a certain class using other means than a currently loaded class or via the classloader itself.
Vulnerability and risk
When comparing classes by name, you allow for mix-and-match attacks, where an attacker constructs new code that links some of your code together with malicious classes or links two classes together that were not meant to be together.
Mitigation and prevention
Do not use an object's equals method to find classnames. Instead, retrieve the first object's class with getClass method, then retrieve the second object's class by means of the current classloader.
Example 1
public void privateMethod(Object object1, Object object2) {
if (object1.getClass().getName().equals("anotherClass")) {// wrong
// do work based on the assumption we're dealing with
// the right object
}
if (object1.getClass() == object2.getClass()) { // correct
// do work based on the fact that the objects are the
// of the same class
}
}
CMP.CLASS is reported for line 11: Comparing by classname.
External guidance
Security training
Application security training materials provided by Secure Code Warrior.