Home

SEC09-J Never leak the results of certain standard API methods from trusted code to untrusted code

This proposed additional recommendation/rule is under construction and incomplete.

The "certain standard API methods" are the ones to be listed in the new SEC03-J. Note that the leaking issue is transitive , and so requires escape analysis for general static proof.

SEC08-J Trusted code must discard or clean any arguments provided by untrusted code SEC10-J Never permit untrusted code to invoke any API that may (possibly transitively) invoke the reflection APIs