40 lines
1.0 KiB
40 lines
1.0 KiB
/*
|
|
* Copyright (c) Facebook, Inc. and its affiliates.
|
|
*
|
|
* This source code is licensed under the MIT license found in the
|
|
* LICENSE file in the root directory of this source tree.
|
|
*/
|
|
|
|
package codetoanalyze.java.quandary;
|
|
|
|
import android.content.ClipboardManager;
|
|
|
|
public class ClassLoading {
|
|
ClipboardManager clipboard;
|
|
|
|
public String getUserControlledString() {
|
|
return this.clipboard.getText().toString();
|
|
}
|
|
|
|
public void clipboardToClassForNameBad() {
|
|
try {
|
|
Class cls = Class.forName(this.getUserControlledString());
|
|
} catch (Exception e) {
|
|
System.out.println("Exception: " + e);
|
|
}
|
|
}
|
|
|
|
/*
|
|
We don't want to report it as we consider that string concatenation
|
|
sanitizes the user-controlled string for class loading.
|
|
*/
|
|
public void clipboardToClassForNameWithConcatenationGood() {
|
|
String javaFileName = "blabla." + this.getUserControlledString();
|
|
try {
|
|
Class cls = Class.forName(javaFileName);
|
|
} catch (Exception e) {
|
|
System.out.println("Exception: " + e);
|
|
}
|
|
}
|
|
}
|