Usage of external input in code reflection

Description

It is bad practice to use external input when dynamically loading classes or executing code using reflection. An attacker could exploit this to load malicious classes or invoke malicious methods, leading to remote code execution and other security risks.

Remediations

✅ Limit the allowed class names and method names to a safelist

✅ Sanitize external input to remove special and unexpected characters that could lead to code injection (such as single or double quotation marks and backslashes)

❌ Wherever possible, avoid using external input with code reflection

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_reflection_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_reflection_using_user_input

Ready to take the next step? Learn more about Bearer Cloud.