Determining an object's type based on its class name can lead to unexpected behavior or allow an attacker to inject a malicious class.
Attackers may deliberately duplicate class names in order to cause a program to execute malicious code. For this reason, class names are not good type identifiers and should not be used as the basis for granting trust to a given object.
Example 1: The following code opts to trust or distrust input from an inputReader
object based on its class name. If an attacker is able to supply an implementation of inputReader
that executes malicious commands, this code will be unable to differentiate the benign and malicious versions of the object.
if (inputReader.getClass().getName().equals("TrustedName"))
{
input = inputReader.getInput();
...
}
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 486