Recipe Name:
URLClassloader: Call super when overriding getPermissions
Description:
Custom permissions should be based on those of the super class using super.getPermissions
Level:
warning
Language:
  • java
Tags:
  • security
  • Java basic
  • SEI CERT
Documentation

As explained by the SEI CERT coding guidelines: "When a custom class loader must override the getPermissions() method, the implementation must consult the default system policy by explicitly invoking the superclass's getPermissions() method before assigning arbitrary permissions to the code source. A custom class loader that ignores the superclass's getPermissions() could load untrusted classes with elevated privileges. ClassLoader is abstract and must not be directly subclassed."

References
Recipe
id: scw:java:URLClassLoader-getPermissions
version: 10
metadata:
  name: 'URLClassloader: Call super when overriding getPermissions'
  shortDescription: Custom permissions should be based on those of the super class using super.getPermissions
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/URLClassloader__Call_super_when_overriding_getPermissions.html
  tags: security;Java basic;SEI CERT
search:
  method:
    in:
      class:
        super:
          name: java.net.URLClassLoader
    name: getPermissions
    type: java.net.URLClassLoader
    without:
      child:
        methodcall:
          name: getPermissions
          "on":
            expression:
              value:
                stringified: super
availableFixes: []