28 lines
1.5 KiB
Plaintext
28 lines
1.5 KiB
Plaintext
=== on 30 Jul 2014, 21:14:24 Freddy Mallet wrote:
|
|
My feedback @Ann:
|
|
|
|
* I would have limited the scope of this rule to Java and Groovy because on my side I would not be able to say if this rule is relevant or not in {cpp}, C#, VB.Net, ...
|
|
* In the provided example in Java, I would have used the Class.getName() method and not Class.getSimpleName() which is not so widely used.
|
|
* The following extended description provided in the CWE page is for me really relevant to understand why this might be a security issue:
|
|
____
|
|
If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.
|
|
|
|
____
|
|
|
|
=== on 31 Jul 2014, 18:48:53 Ann Campbell wrote:
|
|
\[~freddy.mallet]
|
|
|
|
* I did some research at the time (& just ran through it again). All of those languages have classes and some equivalent of instanceof
|
|
* The example doesn't work with Class.getName() :-)
|
|
* I've beefed up the description.
|
|
|
|
=== on 13 Feb 2015, 17:37:16 Freddy Mallet wrote:
|
|
\[~ann.campbell.2] what should be the security category associated with this rule ?
|
|
|
|
=== on 16 Feb 2015, 12:41:40 Ann Campbell wrote:
|
|
\[~freddy.mallet] are you talking about a security-related sub-tag, or are you talking about switching the SQALE mapping to Security? Or both?
|
|
|
|
=== on 5 Apr 2015, 23:35:27 Evgeny Mandrikov wrote:
|
|
\[~ann.campbell.2] I believe that this is not applicable for {cpp} and Objective-C.
|
|
|