Insecure inherited permissions
Description
Do not grant dangerous combinations of permissions. The combination of createClassLoader and suppressAccessChecks permissions can be used to bypass security checks and create arbitrary class loaders, potentially leading to code injection and execution of malicious code.
Examples
Insecure Code
scala
val runVar = new RuntimePermission("createClassLoader");
val refVar = new ReflectPermission("suppressAccessChecks");
val permissionCollection: PermissionCollection = ...
permissionCollection.add(runVar)
permissionCollection.add(refVar)Secure Code
scala
val permissionCollection: PermissionCollection = ...
// Only add necessary permissions to the collectionRemediation
Remove or restrict the combination of createClassLoader and suppressAccessChecks permissions in the PermissionCollection.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0060 |
| Category | AccessControl |
| Severity | HIGH |
| CWE | CWE-277 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | permissions, injection |
| OWASP | N/A |