CWE-486: Comparison of Classes by Name

CWE-486: Comparison of Classes by Name | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In this example, the expression in the if statement compares the class of the inputClass object to a trusted class by comparing the class names.

Vulnerable example

java

if (inputClass.getClass().getName().equals("TrustedClassName")) {

Safe example

java

if (inputClass.getClass() == TrustedClass.class) {

However, multiple classes can have the same name therefore comparing an object's class by name can allow untrusted classes of the same name as the trusted class to be use to execute unintended or incorrect code. To compare the class of an object to the intended class the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example.

In this example, the Java class, TrustedClass, overrides the equals method of the parent class Object to determine equivalence of objects of the class. The overridden equals method first determines if the object, obj, is the same class as the TrustedClass object and then compares the object's fields to determine if the objects are equivalent.

Vulnerable example

java

public class TrustedClass {

Safe example

java

public boolean equals(Object obj) {

However, the equals method compares the class names of the object, obj, and the TrustedClass object to determine if they are the same class. As with the previous example using the name of the class to compare the class of objects can lead to the execution of unintended or incorrect code if the object passed to the equals method is of another class with the same name. To compare the class of an object to the intended class, the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example.

CWE-486: Comparison of Classes by Name

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-486?

How do you prevent CWE-486?

How is CWE-486 detected?

What are the consequences of CWE-486?

References

Stay ahead of CWE-486

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Peer

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-486?

How do you prevent CWE-486?

How is CWE-486 detected?

What are the consequences of CWE-486?

References

Stay ahead of CWE-486