如何保护Class.forName(“com.mysql.jdbc.Driver”)?
[英]How to secure Class.forName("com.mysql.jdbc.Driver)?
问题描述
I ran security scan on our application and one of the security issues that came up with is "Download of Code Without Integrity Check". 
我在我们的应用程序上运行了安全扫描,其中一个安全问题是“下载没有完整性检查的代码”。 This risk points of the line at Class.forName("com.mysql.jdbc.Driver"); Class.forName("com.mysql.jdbc.Driver");中该行的风险点Class.forName("com.mysql.jdbc.Driver");
I have not able to find out 我无法找到答案
- how do I secure the above line of code? 我如何保护上面的代码?
- How do I make sure parameter for
forName("")is not malicious class that I would be loading.如何确保forName("")参数不是我要加载的恶意类。
Note: I am using Java 1.7 on our live environment. 注意:我在我们的实时环境中使用Java 1.7。 We do not have a security policy/SecurityManager in place. 我们没有安全策略/ SecurityManager。
Edit: Security Scan used is Checkmarx. 编辑:使用的安全扫描是Checkmarx。
1 个解决方案
解决方案1
3 已采纳 2016-09-21 16:46:39
With recent JDBC drivers there's no need to do the Class.forName() registration anymore. 使用最近的JDBC驱动程序 ,不再需要进行Class.forName()注册。 Update your driver if it's old (not JDBC4 or newer), and you'll be able to remove the line altogether. 如果驱动程序已经过时(不是JDBC4或更新版本),请更新驱动程序,并且您将能够完全删除该驱动程序。
The security issue seems to refer to this which would mean that the attacker has already access to the classpath, and therefore can cause plenty of damage in other ways as well. 安全问题似乎是指这意味着攻击者已经访问了类路径,因此也可能在其他方面造成大量破坏。 The suggested solution of checking a checksum at that point may not be of too much help. 在该点检查校验和的建议解决方案可能没有太多帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.