Skip to content

Use class literals instead of getClass() for resource loading (CodeQL java/unsafe-get-resource)#224

Open
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:features/codeql-unsafe-get-resource
Open

Use class literals instead of getClass() for resource loading (CodeQL java/unsafe-get-resource)#224
vharseko wants to merge 2 commits into
OpenIdentityPlatform:masterfrom
vharseko:features/codeql-unsafe-get-resource

Conversation

@vharseko

@vharseko vharseko commented Jul 8, 2026

Copy link
Copy Markdown
Member

Summary

Resolves all 27 CodeQL java/unsafe-get-resource alerts by replacing the
getClass().getResource(...) / getClass().getResourceAsStream(...) idiom with
an explicit class literal (<EnclosingClass>.class.getResource(...)).

getClass() returns the runtime class, so if a class is extended by a subclass
in another package — or loaded by a different class loader — the resource path is
resolved from a different location than the author intended. Pinning resolution to
the class where the code is written (a class literal) is the CodeQL-recommended
fix.

Why this is behaviour-preserving here

  • Most call sites use absolute resource paths (/foo), which resolve from the
    class-path root regardless of package, so the runtime class never mattered.
  • The only type that is actually subclassed, XmlTransformer, loads XSL via a
    constructor argument; all of its subclasses live in the same package and
    pass absolute paths (/xslt/...), so XmlTransformer.class resolves
    identically.
  • Every site runs within a single class loader (application / plugin jar).

Scope — 27 sites across 18 files

Module Files Sites
commons/util/util XMLHandler 1
commons/audit/core EventTopicsMetaDataBuilder 1
commons/audit/servlet AuditHttpApplication 1
commons/selfservice/example ExampleSelfServiceApplication 1
cassandra-embedded EmbeddedServer 4
commons/doc-maven-plugin AbstractDocbkxMojo, AsciidocToPdfMojo, AsciidocPreProcessMojo, XmlTransformer, SyntaxHighlighterCopier, BootstrapCopier, Redirect, Robots, Htaccess, IndexHtml, WebhelpPost, Html, Bootstrap 19

Testing

All six affected modules compile.

… java/unsafe-get-resource)

The idiom getClass().getResource() / getResourceAsStream() resolves resources
relative to the runtime class, so a subclass in another package (or one loaded by
a different class loader) could resolve a different resource than the author
intended. CodeQL flags this as java/unsafe-get-resource.

Replace getClass()/this.getClass() with an explicit class literal
(<EnclosingClass>.class) at all 27 flagged sites across 18 files in commons/util,
commons/audit, commons/selfservice/example, cassandra-embedded and
commons/doc-maven-plugin. The declaring class is always the one whose package the
resource lives in, so resolution is unchanged in every case here: most paths are
absolute (package-independent), and the only subclassed type (XmlTransformer)
receives absolute XSL paths from same-package subclasses. This resolves all 27
java/unsafe-get-resource alerts.

Behaviour is otherwise unchanged.

Verified: commons/util/util, commons/audit/core, commons/audit/servlet,
commons/selfservice/example, cassandra-embedded and commons/doc-maven-plugin
compile.
@vharseko vharseko added codeql CodeQL static-analysis findings refactoring Code cleanup / refactoring, no behavior change java labels Jul 8, 2026
@vharseko vharseko requested a review from maximthomas July 8, 2026 08:31
…afe-get-resource

# Conflicts:
#	commons/audit/core/src/main/java/org/forgerock/audit/events/EventTopicsMetaDataBuilder.java
@vharseko vharseko removed the java label Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

codeql CodeQL static-analysis findings refactoring Code cleanup / refactoring, no behavior change

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants