We scanned our codes using HP fortify and tag all our reflection codes using setAccessible() method as security misconfiguration. Although it provided a recommendation I can't fully understand it. Below is the explanation and recommendation.
Explanation: The AccessibleObject API allows the programmer to get around the access control checks provided by Java access specifiers. In particular it enables the programmer to allow a reflected object to bypass Java access controls and in turn change the value of private fields or invoke private methods, behaviors that are normally disallowed.
Recommendations: Access specifiers should only be changed by a privileged class using arguments that an attacker cannot set. All occurrences should be examined carefully.
Does the recommendation state the we use the java security manager and AccessController class?
Aucun commentaire:
Enregistrer un commentaire