SV.CLASSLOADER.INJ
Use of ClassLoader to potentially access content from an untrusted source
This error is reported when the ClassLoader class is created with URLs from an untrusted source.
Vulnerability and risk
The ClassLoader object allows the referencing and loading of executable data at runtime. If an attacker can inject alternate URL locations, there is a potential for untrusted code to execute and gain access to the running JVM or local resources.
Mitigation and prevention
This issue is prevented by not instantiating or updating ClassLoader objects with references to URLs from untrusted sources.
Vulnerable code example 1
ClassLoader is instantiated using URL data which is not trusted. Any calls to this ClassLoader to load class data are considered compromised.
public void createContent(final ServletRequest req)
throws MalformedURLException {
// Set up external reference to site
final String urlString = req.getParameter("url.data");
final URL url = new URL(urlString);
final URLClassLoader loader = new URLClassLoader({url});
...
}
Fixed code example 1
The URL is now hard-coded and the system can be verify that the content is trusted.
public void testExternalReference()
throws MalformedURLException {
// Set up external reference to known site
final String urlString = “http://verified.content.com/example.jar”;
final URL url = new URL(urlString);
final URLClassLoader loader = new URLClassLoader({url});
}
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.