Re: detecting nasty class/jar files?
"Andreas Leitgeb" <avl@gamma.logic.tuwien.ac.at> wrote in message
news:slrnevj8g5.p5i.avl@gamma.logic.tuwien.ac.at...
Oliver Wong <owong@castortech.com> wrote:
The Class.forName allows you access to any class on the system
A jar-file that calls Class.forName() and reflection is
then suspicious. (as far as I think, Class.forName alone
is not yet dangerous, but I could be wrong there, of course.)
Classes can have static initializer, thus triggering for code to
run
as soon as they are loaded, even if none of the methods (static or
otherwise) or constructors on that class are called.
So, anyway it needs to call .forName() and have that reference in it.
Then, if the class, that gets loaded is in the jar-file, then it's
also under statical analysis.
If it is a foreign one, then it must be one in the classpath, and
I trust, that no class in the JRE, nor in my ext directory will
do anything nasty in it's static initializer block.
.forName() can also specify a class loader, which might be a custom
one which loads classes from a location other than the classpath, the JRE
and your ext directory. It might, for example, dynamically create the
bytecode for the new class, from a byte array.
- Oliver