- java.lang.Object
-
- io.github.pixee.security.Reflection
-
public final class Reflection extends java.lang.ObjectThis type exposes helper methods that will help defend against attacks involving reflection and classloading.
-
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static java.util.Set<ReflectionRestrictions>defaultRestrictions()Provide the default restrictions for loading a type that will work for the vast majority of applications.static java.lang.Class<?>loadAndVerify(java.lang.String name)Helper method that delegatesloadAndVerify(String, Set)static java.lang.Class<?>loadAndVerify(java.lang.String name, boolean initialize, java.lang.ClassLoader loader)This method sandboxes the classloading to prevent possibly dangerous types from being loaded, using the default restrictions.static java.lang.Class<?>loadAndVerify(java.lang.String name, java.util.Set<ReflectionRestrictions> restrictions)This method sandboxes the classloading to prevent possibly dangerous types from being loaded.static java.lang.Class<?>loadAndVerifyPackage(java.lang.String name, java.lang.String expectedPackage)This method sandboxes the classloading to prevent possibly types outside the expected package from being loaded, with no other restrictions enforced.
-
-
-
Method Detail
-
defaultRestrictions
public static java.util.Set<ReflectionRestrictions> defaultRestrictions()
Provide the default restrictions for loading a type that will work for the vast majority of applications.- Returns:
- a set of restrictions that are suitable for broad use in protecting reflection operations
-
loadAndVerifyPackage
public static java.lang.Class<?> loadAndVerifyPackage(java.lang.String name, java.lang.String expectedPackage) throws java.lang.ClassNotFoundExceptionThis method sandboxes the classloading to prevent possibly types outside the expected package from being loaded, with no other restrictions enforced.- Parameters:
name- the name of the type to loadexpectedPackage- the package name we expect the loaded type to be in- Returns:
- the result of
Class.forName(String), if the type is - Throws:
java.lang.ClassNotFoundException- if the class is not foundjava.lang.SecurityException- if theClassisn't in the expected package
-
loadAndVerify
public static java.lang.Class<?> loadAndVerify(java.lang.String name) throws java.lang.ClassNotFoundExceptionHelper method that delegatesloadAndVerify(String, Set)- Parameters:
name- the name of the type to load- Returns:
- the result of
Class.forName(String), if it passes the default restrictions - Throws:
java.lang.ClassNotFoundException- if the class is not found
-
loadAndVerify
public static java.lang.Class<?> loadAndVerify(java.lang.String name, boolean initialize, java.lang.ClassLoader loader) throws java.lang.ClassNotFoundExceptionThis method sandboxes the classloading to prevent possibly dangerous types from being loaded, using the default restrictions.- Parameters:
name- the name of the type to loadinitialize- whether to initialize the class, passed toClass.forName(String, boolean, ClassLoader)loader- the ClassLoader to use, passed toClass.forName(String, boolean, ClassLoader)- Returns:
- the result of
Class.forName(String), if it passes the default restrictions - Throws:
java.lang.ClassNotFoundException- if the class is not found
-
loadAndVerify
public static java.lang.Class<?> loadAndVerify(java.lang.String name, java.util.Set<ReflectionRestrictions> restrictions) throws java.lang.ClassNotFoundExceptionThis method sandboxes the classloading to prevent possibly dangerous types from being loaded.- Parameters:
name- the name of the type to loadrestrictions- the set ofReflectionRestrictionsto apply- Returns:
- the result of
Class.forName(String), if it passes the restrictions - Throws:
java.lang.ClassNotFoundException- if the class is not found
-
-