Usage of external input in code reflection

• Rule ID: java_lang_reflection_using_user_input
• Languages: java
• Source: reflection_using_user_input.yml

Description

Using external input for dynamic class loading or code execution through reflection poses a significant security risk. This practice can be exploited by attackers to load harmful classes or execute malicious methods, potentially resulting in remote code execution and other severe security threats.

Remediations

• Do not - wherever possible - use external input with code reflection. Avoiding this practice altogether significantly lowers the risk of executing unauthorized or malicious code.
• Do limit the allowed class names and method names to a predefined safelist. This approach restricts the scope of classes and methods that can be dynamically accessed, reducing the risk of unauthorized actions.
• Do sanitize external input by removing special and unexpected characters that could facilitate code injection attacks. Characters such as single or double quotation marks and backslashes are particularly risky and should be filtered out.

Associated CWE

• CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_reflection_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_reflection_using_user_input