Skip to content

Fix inconsistent ClassLoader usage between class presence check and actual class loading #3570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
linw-bai wants to merge 3 commits into from
Closed

Fix inconsistent ClassLoader usage between class presence check and actual class loading #3570

linw-bai wants to merge 3 commits into from
+14 −58

Conversation

@linw-bai
Copy link

@linw-bai linw-bai commented Dec 10, 2025

Fix inconsistent ClassLoader usage between class presence check and actual class loading

Background

LettuceClassUtils#getDefaultClassLoader() currently returns the Thread Context ClassLoader (TCCL) when available.
However, LettuceClassUtils#isPresent(...) relies on this method to check class existence, while the actual class loading is later performed using the ClassLoader of LettuceClassUtils itself.
This leads to an inconsistent ClassLoader strategy:

  • Presence check: uses Thread Context ClassLoader
  • Actual loading: uses LettuceClassUtils.class.getClassLoader()
    In environments with multiple ClassLoaders (e.g. OSGi, Servlet containers, shaded applications, plugin systems), this can cause:
  • isPresent(...) returning true
  • Followed by a ClassNotFoundException during actual class loading
    This is a classic false-positive detection issue caused by mismatched ClassLoaders.

Root Cause

The root problem is that:

  • getDefaultClassLoader() returns TCCL
  • But Class.forName(...) and direct loading later use a different ClassLoader
    So the class existence check is not aligned with the loader that actually loads the class.

Solution

This PR makes the ClassLoader strategy consistent by:

  • Ensuring that both class presence checks and real class loading use the same ClassLoader
  • Preferring LettuceClassUtils.class.getClassLoader() as the primary loader

a-TODO-rov and others added 3 commits December 5, 2025 15:23
@jit-ci
Copy link

jit-ci bot commented Dec 10, 2025

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

@linw-bai linw-bai changed the title 7.1.x Fix inconsistent ClassLoader usage between class presence check and actual class loading Dec 10, 2025
@a-TODO-rov a-TODO-rov closed this Dec 16, 2025
@a-TODO-rov
Copy link
Contributor

a-TODO-rov commented Dec 16, 2025

Hello @linw-bai
You need to make PR against the main branch first and then the fix will be backported to earlier versions if needed.
I am closing this PR for now. Feel free to open it against main and we will review it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@linw-bai @a-TODO-rov