Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why avoid Method.invoke?

In guideline 9-11 / ACCESS-11

Be aware java.lang.reflect.Method.invoke is ignored for checking the immediate caller

of the Secure Coding Guidelines for Java SE, it is stated that the Method.invoke implementation is ignored when determining the immediate caller, because otherwise the action would be performed with all permissions. So far that's clear to me, but then it is stated:

Therefore, avoid Method.invoke

I understand it is good that the Method.invoke implementation is ignored when determining the immediate caller, but why it should be avoided? What would be the reason to avoid it?

like image 695
Philippe Avatar asked Mar 28 '21 23:03

Philippe


People also ask

What does method invoke do?

Java Method invoke() Method The invoke () method of Method class Invokes the underlying method represented by this Method object, on the specified object with the specified parameters. Individual parameters automatically to match primitive formal parameters.

What does method invoke return?

invoke() method returns the object which is returned after that method execution!

What does invoke mean in Java?

Java Invoke is a synchronous activity that can be used to invoke a Java class method. You can construct an instance of the specified Java class, if you invoke the constructor for the class.


1 Answers

There is an inherent risk when using reflection for invoking methods ( like in Java or C#). Quoting from the OWASP vulnerability description page for Unsafe use of reflection

If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers.

like image 142
Shailendra Avatar answered Oct 22 '22 06:10

Shailendra