SV.CLASSDEF.INJ

Use of ClassLoader to define and instantiate executable content from an untrusted source

This error is reported when a derivative of ClassLoader is used to define and instantiate an executable class from an untrusted source.

Vulnerability and risk

The ClassLoader object allows the creation of an executable class from a string of bytes or characters.

If an attacker can inject alternate content, there is a potential for untrusted code to execute and gain access to the running JVM or local resources.

Mitigation and prevention

This issue is prevented by not defining classes with content from untrusted sources.

Vulnerable code example 1

In this example, the class creation methods are first exposed by extending SecureClassLoader. Then, data from an untrusted source is passed through the Loader to create an executable version of the class. Because the source is untrusted, the class is compromised.

Copy
   private class LocalLoader extends SecureClassLoader {
   
       public Class<?> createClass(String name, byte[] b, int off, int len) {
           return defineClass(name, b, off, len);
       }
   }
   
   ...
   
  public Class<?> createClassData(final ServletRequest req) {
      final String classData = req.getParameter("class.data");
      final byte[] bytes = classData.getBytes();
  
      final TestLoader loader = new TestLoader();
      Class<?> newClass = loader.createClass("name", bytes, 0, bytes.length);
      Return newClass;
  }

Fixed code example 1

In this case, a function called generateClassData() procedurally creates the content required for the executable class, and that result is then instantiated and ready for execution.

Copy
   private class LocalLoader extends SecureClassLoader {
   
       public Class<?> createClass(String name, byte[] b, int off, int len) {
           return defineClass(name, b, off, len);
       }
   }
   
   ...
   
  public Class<?> createClassData() {
      final String classData = generateClassData();
      final byte[] bytes = classData.getBytes();
  
      final TestLoader loader = new TestLoader();
      Class<?> newClass = loader.createClass("name", bytes, 0, bytes.length);
      Return newClass;
  }

Related checkers

Security training

Application security training materials provided by Secure Code Warrior.