infer_clone/infer/tests/codetoanalyze/java/quandary/ClassLoading.java

40 lines
1.0 KiB

/*
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
package codetoanalyze.java.quandary;
import android.content.ClipboardManager;
public class ClassLoading {
ClipboardManager clipboard;
public String getUserControlledString() {
return this.clipboard.getText().toString();
}
public void clipboardToClassForNameBad() {
try {
Class cls = Class.forName(this.getUserControlledString());
} catch (Exception e) {
System.out.println("Exception: " + e);
}
}
/*
We don't want to report it as we consider that string concatenation
sanitizes the user-controlled string for class loading.
*/
public void clipboardToClassForNameWithConcatenationGood() {
String javaFileName = "blabla." + this.getUserControlledString();
try {
Class cls = Class.forName(javaFileName);
} catch (Exception e) {
System.out.println("Exception: " + e);
}
}
}