Package io.github.pixee.security

Class Reflection

java.lang.Object

io.github.pixee.security.Reflection

public final class Reflection
extends Object

This type exposes helper methods that will help defend against attacks involving reflection and classloading.

Method Summary

Modifier and Type	Method	Description
static Set<ReflectionRestrictions>	defaultRestrictions()	Provide the default restrictions for loading a type that will work for the vast majority of applications.
static Class<?>	loadAndVerify(String name)	Helper method that delegates loadAndVerify(String, Set)
static Class<?>	loadAndVerify(String name, boolean initialize, ClassLoader loader)	This method sandboxes the classloading to prevent possibly dangerous types from being loaded, using the default restrictions.
static Class<?>	loadAndVerify(String name, Set<ReflectionRestrictions> restrictions)	This method sandboxes the classloading to prevent possibly dangerous types from being loaded.
static Class<?>	loadAndVerifyPackage(String name, String expectedPackage)	This method sandboxes the classloading to prevent possibly types outside the expected package from being loaded, with no other restrictions enforced.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

defaultRestrictions

public static Set<ReflectionRestrictions> defaultRestrictions()

Provide the default restrictions for loading a type that will work for the vast majority of applications.

Returns:

a set of restrictions that are suitable for broad use in protecting reflection operations

loadAndVerifyPackage

public static Class<?> loadAndVerifyPackage(String name,
                                            String expectedPackage)
                                     throws ClassNotFoundException

This method sandboxes the classloading to prevent possibly types outside the expected package from being loaded, with no other restrictions enforced.

Parameters:

name - the name of the type to load

expectedPackage - the package name we expect the loaded type to be in

Returns:

the result of Class.forName(String), if the type is

Throws:

ClassNotFoundException - if the class is not found

SecurityException - if the Class isn't in the expected package

loadAndVerify

public static Class<?> loadAndVerify(String name)
                              throws ClassNotFoundException

Helper method that delegates loadAndVerify(String, Set)

Parameters:

name - the name of the type to load

Returns:

the result of Class.forName(String), if it passes the default restrictions

Throws:

ClassNotFoundException - if the class is not found

loadAndVerify

public static Class<?> loadAndVerify(String name,
                                     boolean initialize,
                                     ClassLoader loader)
                              throws ClassNotFoundException

This method sandboxes the classloading to prevent possibly dangerous types from being loaded, using the default restrictions.

Parameters:

name - the name of the type to load

initialize - whether to initialize the class, passed to Class.forName(String, boolean, ClassLoader)

loader - the ClassLoader to use, passed to Class.forName(String, boolean, ClassLoader)

Returns:

the result of Class.forName(String), if it passes the default restrictions

Throws:

ClassNotFoundException - if the class is not found

loadAndVerify

public static Class<?> loadAndVerify(String name,
                                     Set<ReflectionRestrictions> restrictions)
                              throws ClassNotFoundException

This method sandboxes the classloading to prevent possibly dangerous types from being loaded.

Parameters:

name - the name of the type to load

restrictions - the set of ReflectionRestrictions to apply

Returns:

the result of Class.forName(String), if it passes the restrictions

Throws:

ClassNotFoundException - if the class is not found