Is code injection possible in Java?

Question

nowadays you can read much about code injection, exploits, buffer-, stack- and heap-overflows etc. leading to inject and run code. I wonder what of this stuff is relevant for Ja

Answer 1

You can't inject Java. But if you are not careful, people could inject Javascript (i.e. XSS as you mention) or SQL. There are heaps and stacks, but no way to get to them.

Answer 2

You could write a web service that accepted a Java code snippet, wrapped it in a class/method declaration, saved it to disk, ran the compiler on it and then dynamically loaded and executed the result. So code injection is certainly possible.

But with typical Java implementations, it's perhaps not very efficient because of the relatively heavyweight compilation process (it might still be practical for some apps though).

Code injection is highly relevant with SQL because the "first guess" of many beginners is to use string concatenation to insert variables into a statement. But it rarely crops up as an idea amongst Java programmers. So that's the reason it isn't much of a concern.

If Java compilers become exposed as light-weight library services, then you'd have something much closer to the equivalent of eval and therefore it might start to become a relevant concern.