How to secure Class.forName("com.mysql.jdbc.Driver)?

Question

I ran security scan on our application and one of the security issues that came up with is "Download of Code Without Integrity Check". This risk points of the line at Class.forName("com.mysql.jdbc.Driver");

I have not able to find out

how do I secure the above line of code?
How do I make sure parameter for forName("") is not malicious class that I would be loading.

Note: I am using Java 1.7 on our live environment. We do not have a security policy/SecurityManager in place.

Edit: Security Scan used is Checkmarx.

Remove it. It hasn't been needed since 2007. – user207421 Sep 21 '16 at 17:00 — user207421, Sep 21 '16 at 17:00
Yup that works. Thanks! – Rohan Dmello Sep 21 '16 at 18:21 — Rohan Dmello, Sep 21 '16 at 18:21

score 3 · Accepted Answer · edited May 23 '17 at 12:00

3

With recent JDBC drivers there's no need to do the Class.forName() registration anymore. Update your driver if it's old (not JDBC4 or newer), and you'll be able to remove the line altogether.

The security issue seems to refer to this which would mean that the attacker has already access to the classpath, and therefore can cause plenty of damage in other ways as well. The suggested solution of checking a checksum at that point may not be of too much help.

edited May 23 '17 at 12:00

Community

1
1

answered Sep 21 '16 at 16:46

Kayaman

72,141
5
83
121

Nevertheless, that still sounds like a bug in the report. – chrylis -cautiouslyoptimistic- Sep 21 '16 at 16:51
1

Could be, he didn't mention which tool he was using or on what basis it would flag that. It's also questionable why it talks about "Download of code". – Kayaman Sep 21 '16 at 16:54
That did work for me. But what if the class is not '"com.mysql.jdbc.Driver"'. How do you secure 'Class.forName();' then? – Rohan Dmello Sep 21 '16 at 18:25

How to secure Class.forName("com.mysql.jdbc.Driver)?

1 Answers1