Usage of dangerous permissions

• Rule ID: java_lang_dangerous_permissions
• Languages: java
• Source: dangerous_permissions.yml

Description

Granting certain (dangerous) permissions compromises application security. Specifically, allowing RuntimePermission of createClassLoader can lead to unauthorized class loaders being used to load arbitrary classes. Similarly, permitting ReflectPermission of suppressAccessChecks bypasses Java language access controls, risking unrestricted access to protected and private class members.

Remediations

• Do not grant RuntimePermission("createClassLoader"). This permission enables the instantiation of unauthorized class loaders, posing a security risk by potentially loading arbitrary classes.
• Do not grant ReflectPermission("suppressAccessChecks"). This permission allows bypassing Java's access checks, leading to a risk of unrestricted access to protected and private class members.
• Do review and restrict permissions to only what is necessary for the application's functionality. Limiting permissions minimizes potential security vulnerabilities.

Associated CWE

• CWE-269: Improper Privilege Management

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_dangerous_permissions

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_dangerous_permissions