Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why avoid Method.invoke?

Tags:

java

java-security

In guideline 9-11 / ACCESS-11

Be aware java.lang.reflect.Method.invoke is ignored for checking the immediate caller

of the Secure Coding Guidelines for Java SE, it is stated that the Method.invoke implementation is ignored when determining the immediate caller, because otherwise the action would be performed with all permissions. So far that's clear to me, but then it is stated:

Therefore, avoid Method.invoke

I understand it is good that the Method.invoke implementation is ignored when determining the immediate caller, but why it should be avoided? What would be the reason to avoid it?

like image 695
Philippe Avatar asked Mar 28 '21 23:03

Philippe

People also ask

What does method invoke do?

Java Method invoke() Method The invoke () method of Method class Invokes the underlying method represented by this Method object, on the specified object with the specified parameters. Individual parameters automatically to match primitive formal parameters.

What does method invoke return?

invoke() method returns the object which is returned after that method execution!

What does invoke mean in Java?

Java Invoke is a synchronous activity that can be used to invoke a Java class method. You can construct an instance of the specified Java class, if you invoke the constructor for the class.

1 Answers

There is an inherent risk when using reflection for invoking methods ( like in Java or C#). Quoting from the OWASP vulnerability description page for Unsafe use of reflection

If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers.

like image 142
Shailendra Avatar answered Oct 22 '22 06:10

Shailendra
Sign in to Comment

Related questions

Is there an android annotation for checking the pattern of string parameter?
Increasing connection timeout for Tomcat in Spring Boot
Dynamically change log level for every class in a specific package
How to choose solutions for secure messaging front-end and HIPAA compliant database?
Java Code Coverage in Visual Studio Code
Spring JdbcTemplate - how to prepend every query for achieving multitenancy?
java.lang.IllegalStateException: No instrumentation registered! Must run under a registering instrumentation
No instrumentation registered! Must run under a registering instrumentation
Java Calculator - Shunting yard
Deadlock not detected during MySQL Hibernate JPA transaction
Spring JPA Hibernate CET timezone for AuditingEntityListener
Thread sleeping in a Thread-Pool
How to correctly import BillingResponse with newest version of billing client (billing:2.0.1)
How to update Truststore dynamically?
How to avoid duplication of code regarding primitive types?
Java WebSocket message limit
Integration Test WebAuthN as an 2FA option
How can Serializable.class not be assignable from Class.class?
What is the right behavior of evaluatePreconditions on a date with milliseconds according to the specification?
Thread.sleep is not getting mocked with PowerMockito

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!