Why avoid Method.invoke?

Question

Be aware java.lang.reflect.Method.invoke is ignored for checking the immediate caller

of the Secure Coding Guidelines for Java SE, it is stated that the Method.invoke implementation is ignored when determining the immediate caller, because otherwise the action would be performed with all permissions. So far that's clear to me, but then it is stated:

Therefore, avoid Method.invoke

I understand it is good that the Method.invoke implementation is ignored when determining the immediate caller, but why it should be avoided? What would be the reason to avoid it?

Shailendra · Answer 1 · 2021-08-09T13:01:05.923

2

There is an inherent risk when using reflection for invoking methods ( like in Java or C#). Quoting from the OWASP vulnerability description page for Unsafe use of reflection

If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers.

edited Aug 09 '21 at 13:01

answered Aug 09 '21 at 10:45

Shailendra

8,874
2
28
37

@Philippe - thanks for pointing about the link. I have corrected now ! – Shailendra Aug 09 '21 at 13:01

Why avoid Method.invoke?

1 Answers1