What are the security implications of using raw types in Java?

Question

I'm currently reviewing the security implications of various warnings in a large Java EE application. Since most of the code is several years old, it contains many uses of the raw collection types:

List items = new List();

rather than the parametrized collection types:

List<Item> items = new List<Item>();

The only security implication I can think of is that raw types cannot be statically type-checked at compilation and could potentially result in a run-time errors such as ClassCastException which, depending on where in the code this occurs, might lead to a denial of service.

Are there any other implications of using raw types that I'm not thinking of?

Answer 1

I can't think of any other security implications.

For non-security implications, generic types also do explicit casts* in the bytecode for types that return a generic. Of course, this is transparent to the user, and it appears that the type returned is the generic type.

For example:

List<Item> items = new ArrayList<Item>();
// .get(int) and remove(int) return Item automatically

*This happens due to type erasure.

Answer 2

Lack of type safety can lead to security problems. For instance lets say this list was being used to build a query:

"select name from users where id="+items[x]

If items contained a string value of union select load_file('/var/passwd') an attacker could read an arbitrary file on your system. This is payload is assuming your using MySQL. If items was a list of integers, then this query isn't vulnerable to sql injection.