0

I'm using reflection to load the class at run-time but sonar rules are pointing it as vulnerability attack i'm thinking to use ByteBuddy,can bytebuddy library help me on this?

ClassLoader classLoader = MyClass.class.getClassLoader();
Class<?> classsName = classLoader.loadClass(className);
Ivar
  • 6,138
  • 12
  • 49
  • 61
Tirumalesh
  • 95
  • 1
  • 17
  • 2
    There is no reflection in your above example, just dynamic classloading. And your second line doesn't make sense (`className = loadClass(className)`) - but perhaps Sonar is complaining that you are getting `className` from an unsafe source. Bytebuddy won't help - you still need to load the class dynamically. – Erwin Bolwidt Nov 03 '17 at 14:12
  • from the loaded class just i want to make one method accessible to public and i want to invoke. – Tirumalesh Nov 03 '17 at 14:14
  • methodCall.setAccessible(true); methodCall.invoke(getmethod, "text"); – Tirumalesh Nov 03 '17 at 14:22
  • If it’s in the same ClassLoader as a known class (MyClass), why do you need to load it dynamically? I suspect you can accomplish your goal without a dynamically built class name. – VGR Nov 03 '17 at 15:03
  • To demonstrate i have given as MyClass but i need to load different class. – Tirumalesh Nov 03 '17 at 16:02

1 Answers1

0

I am not sure if it will prevent Sonar alert but I'd rather use Class.forName(String) since it will proceed all the class initialisations that could be required:

Class<?> cls = Class.forName(className);

Note that this method is overloaded so you can specify a class loader or whether the class needs to be initialized.

C.Champagne
  • 5,381
  • 2
  • 23
  • 35