I'm currently reviewing the security implications of various warnings in a large Java EE application. Since most of the code is several years old, it contains many uses of the raw collection types:
List items = new List();
rather than the parametrized collection types:
List<Item> items = new List<Item>();
The only security implication I can think of is that raw types cannot be statically type-checked at compilation and could potentially result in a run-time errors such as ClassCastException
which, depending on where in the code this occurs, might lead to a denial of service.
Are there any other implications of using raw types that I'm not thinking of?
I can't think of any other security implications.
For non-security implications, generic types also do explicit casts* in the bytecode for types that return a generic. Of course, this is transparent to the user, and it appears that the type returned is the generic type.
For example:
List<Item> items = new ArrayList<Item>();
// .get(int) and remove(int) return Item automatically
*This happens due to type erasure .
Lack of type safety can lead to security problems. For instance lets say this list was being used to build a query:
"select name from users where id="+items[x]
If items contained a string value of union select load_file('/var/passwd')
an attacker could read an arbitrary file on your system. This is payload is assuming your using MySQL. If items was a list of integers, then this query isn't vulnerable to sql injection.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.