CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
扩展描述
If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.
常见后果
影响范围: Integrity Confidentiality Availability Other
技术影响: Execute Unauthorized Code or Commands Alter Execution Logic
说明: The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.
影响范围: Availability Other
技术影响: DoS: Crash, Exit, or Restart Other
说明: The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang.
影响范围: Confidentiality
技术影响: Read Application Data
说明: By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536.
潜在缓解措施
阶段: Architecture and Design
描述: Refactor your code to avoid using reflection.
阶段: Architecture and Design
描述: Do not use user-controlled inputs to select and load classes or code.
阶段: Implementation
描述: Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2018-1000613
Cryptography API uses unsafe reflection when deserializing a private key
参考: CVE-2004-2331
Database system allows attackers to bypass sandbox restrictions by using the Reflection API.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Unsafe Reflection | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | SEC06-J | Do not use reflection to increase accessibility of classes, methods, or fields | - |