SV.CLLOADER

This error appears when the program attempts to load classes by means of the classloader.

Vulnerability and risk

Loading classed directly using a custom classloader can allow malicious code into the system.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Use a known secure classloader.

Example 1

Copy

10
11
12
13
14
15
16
17
18
19
    public void loadMyClass(String maliciousClass) {
      ClassLoader cLoader = ClassLoader
          .getSystemClassLoader();
      try {
        cLoader.loadClass(maliciousClass);
      } catch (ClassNotFoundException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
      }
    }

SV.CLLOADER is reported for call on line 14: Classloader is used directly 'loadClass'

External guidance

CERT SEC03-J: Do not load trusted classes after allowing untrusted code to load arbitrary classes