In guideline 9-11 / ACCESS-11
Be aware
java.lang.reflect.Method.invoke
is ignored for checking the immediate caller
of the Secure Coding Guidelines for Java SE, it is stated that the Method.invoke
implementation is ignored when determining the immediate caller, because otherwise the action would be performed with all permissions. So far that's clear to me, but then it is stated:
Therefore, avoid
Method.invoke
I understand it is good that the Method.invoke
implementation is ignored when determining the immediate caller, but why it should be avoided? What would be the reason to avoid it?
Java Method invoke() Method The invoke () method of Method class Invokes the underlying method represented by this Method object, on the specified object with the specified parameters. Individual parameters automatically to match primitive formal parameters.
invoke() method returns the object which is returned after that method execution!
Java Invoke is a synchronous activity that can be used to invoke a Java class method. You can construct an instance of the specified Java class, if you invoke the constructor for the class.
There is an inherent risk when using reflection for invoking methods ( like in Java or C#). Quoting from the OWASP vulnerability description page for Unsafe use of reflection
If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With