SV.CLLOADER
This error appears when the program attempts to load classes by means of the classloader.
Vulnerability and risk
Loading classed directly using a custom classloader can allow malicious code into the system.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Use a known secure classloader.
Example 1
Copy
public void loadMyClass(String maliciousClass) {
ClassLoader cLoader = ClassLoader
.getSystemClassLoader();
try {
cLoader.loadClass(maliciousClass);
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
SV.CLLOADER is reported for call on line 14: Classloader is used directly 'loadClass'