If an attacker can inject alternate content, there is a potential for untrusted code to execute and gain access to the running JVM or local resources.

Mitigation and prevention

This issue is prevented by not defining classes with content from untrusted sources.

Vulnerable code example 1

In this example, the class creation methods are first exposed by extending SecureClassLoader. Then, data from an untrusted source is passed through the Loader to create an executable version of the class. Because the source is untrusted, the class is compromised.

1   private class LocalLoader extends SecureClassLoader {
2   
3       public Class<?> createClass(String name, byte[] b, int off, int len) {
4           return defineClass(name, b, off, len);
5       }
6   }
7   
8   ...
9   
10  public Class<?> createClassData(final ServletRequest req) {
11      final String classData = req.getParameter("class.data");
12      final byte[] bytes = classData.getBytes();
13  
14      final TestLoader loader = new TestLoader();
15      Class<?> newClass = loader.createClass("name", bytes, 0, bytes.length);
16      Return newClass;
17  }

Fixed code example 1

In this case, a function called generateClassData() procedurally creates the content required for the executable class, and that result is then instantiated and ready for execution.

1   private class LocalLoader extends SecureClassLoader {
2   
3       public Class<?> createClass(String name, byte[] b, int off, int len) {
4           return defineClass(name, b, off, len);
5       }
6   }
7   
8   ...
9   
10  public Class<?> createClassData() {
11      final String classData = generateClassData();
12      final byte[] bytes = classData.getBytes();
13  
14      final TestLoader loader = new TestLoader();
15      Class<?> newClass = loader.createClass("name", bytes, 0, bytes.length);
16      Return newClass;
17  }

Related checkers

External guidelines

CWE-829: Inclusion of Functionality from Untrusted Control Sphere