User-provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing class or method names directly from
tainted data enables attackers to inject specially crafted values that could result in unexpected behavior, e.g. crash of the application.
Typically, the solution is to validate every parameter used to create the name. This can be achieved by validating them against a list of
authorized values.
Noncompliant Code Example
public void run(javax.servlet.http.HttpServletRequest request) throws ClassNotFoundException {
String name = request.getParameter("name");
Class clazz = Class.forName(name); // Noncompliant
}
Compliant Solution
public void run(javax.servlet.http.HttpServletRequest request) throws ClassNotFoundException {
String name = request.getParameter("name");
if (this.allowed.contains(name)) {
Class clazz = Class.forName(name);
}
}
See