28 lines
1.5 KiB
Plaintext
28 lines
1.5 KiB
Plaintext
|
=== On 2014-07-30T21:14:24Z Freddy Mallet Wrote:
|
||
|
|
My feedback @Ann:
|
||
|
|
|
||
|
|
* I would have limited the scope of this rule to Java and Groovy because on my side I would not be able to say if this rule is relevant or not in {cpp}, C#, VB.Net, ...
|
||
|
|
* In the provided example in Java, I would have used the Class.getName() method and not Class.getSimpleName() which is not so widely used.
|
||
|
|
* The following extended description provided in the CWE page is for me really relevant to understand why this might be a security issue:
|
||
|
|
____
|
||
|
|
If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.
|
||
|
|
|
||
|
|
____
|
||
|
|
|
||
|
|
=== On 2014-07-31T18:48:53Z Ann Campbell Wrote:
|
||
|
|
\[~freddy.mallet]
|
||
|
|
|
||
|
|
* I did some research at the time (& just ran through it again). All of those languages have classes and some equivalent of instanceof
|
||
|
|
* The example doesn't work with Class.getName() :-)
|
||
|
|
* I've beefed up the description.
|
||
|
|
|
||
|
|
=== On 2015-02-13T17:37:16Z Freddy Mallet Wrote:
|
||
|
|
\[~ann.campbell.2] what should be the security category associated with this rule ?
|
||
|
|
|
||
|
|
=== On 2015-02-16T12:41:40Z Ann Campbell Wrote:
|
||
|
|
\[~freddy.mallet] are you talking about a security-related sub-tag, or are you talking about switching the SQALE mapping to Security? Or both?
|
||
|
|
|
||
|
|
=== On 2015-04-05T23:35:27Z Evgeny Mandrikov Wrote:
|
||
|
|
\[~ann.campbell.2] I believe that this is not applicable for {cpp} and Objective-C.
|
||
|
|
|