URLClassloader: Call super when overriding getPermissions :: Recipe Details

Recipe Name:

URLClassloader: Call super when overriding getPermissions

Description:

Custom permissions should be based on those of the super class using super.getPermissions

Level:

warning

Language:

java

Tags:

security
Java basic
SEI CERT

Documentation

As explained by the SEI CERT coding guidelines: "When a custom class loader must override the getPermissions() method, the implementation must consult the default system policy by explicitly invoking the superclass's getPermissions() method before assigning arbitrary permissions to the code source. A custom class loader that ignores the superclass's getPermissions() could load untrusted classes with elevated privileges. ClassLoader is abstract and must not be directly subclassed."

References

SEI CERT - SEC07-J. Call the superclass's getPermissions() method when writing a custom class loader

Recipe

id: scw:java:URLClassLoader-getPermissions
version: 10
metadata:
  name: 'URLClassloader: Call super when overriding getPermissions'
  shortDescription: Custom permissions should be based on those of the super class using super.getPermissions
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/URLClassloader__Call_super_when_overriding_getPermissions.html
  tags: security;Java basic;SEI CERT
search:
  method:
    in:
      class:
        super:
          name: java.net.URLClassLoader
    name: getPermissions
    type: java.net.URLClassLoader
    without:
      child:
        methodcall:
          name: getPermissions
          "on":
            expression:
              value:
                stringified: super
availableFixes: []