SV.CLASSLOADER.INJ

Use of ClassLoader to potentially access content from an untrusted source

This error is reported when the ClassLoader class is created with URLs from an untrusted source.

Vulnerability and risk

The ClassLoader object allows the referencing and loading of executable data at runtime. If an attacker can inject alternate URL locations, there is a potential for untrusted code to execute and gain access to the running JVM or local resources.

Mitigation and prevention

This issue is prevented by not instantiating or updating ClassLoader objects with references to URLs from untrusted sources.

Vulnerable code example 1

ClassLoader is instantiated using URL data which is not trusted. Any calls to this ClassLoader to load class data are considered compromised.

1   public void createContent(final ServletRequest req)
2       throws MalformedURLException {
3   
4       // Set up external reference to site
5       final String urlString = req.getParameter("url.data");
6       final URL url = new URL(urlString);
7       final URLClassLoader loader = new URLClassLoader({url});
8       ...
9   }

Fixed code example 1

The URL is now hard-coded and the system can be verify that the content is trusted.

1   public void testExternalReference()
2       throws MalformedURLException {
3   
4       // Set up external reference to known site
5       final String urlString = “http://verified.content.com/example.jar”;
6       final URL url = new URL(urlString);
7       final URLClassLoader loader = new URLClassLoader({url});
8   }

Related checkers

• SV.CLASSDEF.INJ
• SV.SCRIPT

External guidelines

• CWE-829: Inclusion of Functionality from Untrusted Control Sphere