rspec/rules/S1872/java/rule.adoc

== Why is this an issue?

There is no requirement that class names be unique, only that they be unique within a package. Therefore trying to determine an object's type based on its class name is an exercise fraught with danger. One of those dangers is that a malicious user will send objects of the same name as the trusted class and thereby gain trusted access.

Instead, the ``++instanceof++`` operator or the ``++Class.isAssignableFrom()++`` method should be used to check the object's underlying type.

=== Noncompliant code example

[source,java]
----
package computer;
class Pear extends Laptop { ... }

package food;
class Pear extends Fruit { ... }

class Store {

  public boolean hasSellByDate(Object item) {
    if ("Pear".equals(item.getClass().getSimpleName())) {  // Noncompliant
      return true;  // Results in throwing away week-old computers
    }
    return false;
  }

  public boolean isList(Class<T> valueClass) {
    if (List.class.getName().equals(valueClass.getName())) {  // Noncompliant
      return true;
    }
    return false;
  }
}
----

=== Compliant solution

[source,java]
----
class Store {

  public boolean hasSellByDate(Object item) {
    if (item instanceof food.Pear) {
      return true;
    }
    return false;
  }

  public boolean isList(Class<T> valueClass) {
    if (valueClass.isAssignableFrom(List.class)) {
      return true;
    }
    return false;
  }
}
----

== Resources

* CWE - https://cwe.mitre.org/data/definitions/486[CWE-486 - Comparison of Classes by Name]
* https://wiki.sei.cmu.edu/confluence/x/eDdGBQ[CERT, OBJ09-J.] - Compare classes and not class names

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use an ["instanceof"|"isAssignableFrom()"] comparison instead.


'''
== Comments And Links
(visible only on this page)

=== on 30 Jul 2014, 21:14:24 Freddy Mallet wrote:
My feedback @Ann:

* I would have limited the scope of this rule to Java and Groovy because on my side I would not be able to say if this rule is relevant or not in {cpp}, C#, VB.Net, ...
* In the provided example in Java, I would have used the Class.getName() method and not Class.getSimpleName() which is not so widely used.
* The following extended description provided in the CWE page is for me really relevant to understand why this might be a security issue: 
____
If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.

____

=== on 31 Jul 2014, 18:48:53 Ann Campbell wrote:
\[~freddy.mallet]

* I did some research at the time (& just ran through it again). All of those languages have classes and some equivalent of instanceof
* The example doesn't work with Class.getName() :-)
* I've beefed up the description.

=== on 13 Feb 2015, 17:37:16 Freddy Mallet wrote:
\[~ann.campbell.2] what should be the security category associated with this rule ?

=== on 16 Feb 2015, 12:41:40 Ann Campbell wrote:
\[~freddy.mallet] are you talking about a security-related sub-tag, or are you talking about switching the SQALE mapping to Security? Or both?

=== on 5 Apr 2015, 23:35:27 Evgeny Mandrikov wrote:
\[~ann.campbell.2] I believe that this is not applicable for {cpp} and Objective-C.


endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`There is no requirement that class names be unique, only that they be unique within a package. Therefore trying to determine an object's type based on its class name is an exercise fraught with danger. One of those dangers is that a malicious user will send objects of the same name as the trusted class and thereby gain trusted access.`
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Instead, the ``++instanceof++`` operator or the ``++Class.isAssignableFrom()++`` method should be used to check the object's underlying type.
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`----`
			`package computer;`
			`class Pear extends Laptop { ... }`

			`package food;`
			`class Pear extends Fruit { ... }`

			`class Store {`

			`public boolean hasSellByDate(Object item) {`
			`if ("Pear".equals(item.getClass().getSimpleName())) { // Noncompliant`
			`return true; // Results in throwing away week-old computers`
			`}`
			`return false;`
			`}`

			`public boolean isList(Class<T> valueClass) {`
			`if (List.class.getName().equals(valueClass.getName())) { // Noncompliant`
			`return true;`
			`}`
			`return false;`
			`}`
			`}`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`----`
			`class Store {`

			`public boolean hasSellByDate(Object item) {`
			`if (item instanceof food.Pear) {`
			`return true;`
			`}`
			`return false;`
			`}`

			`public boolean isList(Class<T> valueClass) {`
			`if (valueClass.isAssignableFrom(List.class)) {`
			`return true;`
			`}`
			`return false;`
			`}`
			`}`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/486[CWE-486 - Comparison of Classes by Name]`
RULEAPI-665: Remove security standards from the irrelevant language-specific rules (#362) 2021-09-21 15:40:35 +02:00			`* https://wiki.sei.cmu.edu/confluence/x/eDdGBQ[CERT, OBJ09-J.] - Compare classes and not class names`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Use an ["instanceof"\|"isAssignableFrom()"] comparison instead.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Clean rule at root In some cases, the `rule.adoc` at root of a rule is never included anywhere and thus is dead code. It's a maintenance cost by itself, but also it misses opportunities to inline code that seems used by two documents when in fact only one document is actually rendered. And this missed opportunity, in turn, stops us from applying the correct language tag on the code samples. 2023-10-16 16:34:38 +02:00			`=== on 30 Jul 2014, 21:14:24 Freddy Mallet wrote:`
			`My feedback @Ann:`

			`* I would have limited the scope of this rule to Java and Groovy because on my side I would not be able to say if this rule is relevant or not in {cpp}, C#, VB.Net, ...`
			`* In the provided example in Java, I would have used the Class.getName() method and not Class.getSimpleName() which is not so widely used.`
			`* The following extended description provided in the CWE page is for me really relevant to understand why this might be a security issue:`
			`____`
			`If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.`

			`____`

			`=== on 31 Jul 2014, 18:48:53 Ann Campbell wrote:`
			`\[~freddy.mallet]`

			`* I did some research at the time (& just ran through it again). All of those languages have classes and some equivalent of instanceof`
			`* The example doesn't work with Class.getName() :-)`
			`* I've beefed up the description.`

			`=== on 13 Feb 2015, 17:37:16 Freddy Mallet wrote:`
			`\[~ann.campbell.2] what should be the security category associated with this rule ?`

			`=== on 16 Feb 2015, 12:41:40 Ann Campbell wrote:`
			`\[~freddy.mallet] are you talking about a security-related sub-tag, or are you talking about switching the SQALE mapping to Security? Or both?`

			`=== on 5 Apr 2015, 23:35:27 Evgeny Mandrikov wrote:`
			`\[~ann.campbell.2] I believe that this is not applicable for {cpp} and Objective-C.`

Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`