[ https://issues.apache.org/jira/browse/CASSANDRA-12309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Jirsa updated CASSANDRA-12309: ----------------------------------- Comment: was deleted (was: Cassandra allows dynamic class loading in many places, and it's generally considered a feature. Various examples include Seed providers, Authenticator, Authorizer, Compaction Strategies, Partitioners, Snitches, Secondary Index, and Replication Strategies. Classifying this as a bug is probably inappropriate - there may be an environment where such a feature is unwanted, but it's very much intentional in its current form. ) > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code > ------------------------------------------------------------------------------------------ > > Key: CASSANDRA-12309 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12309 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Dynamically loaded code has the potential to be malicious. The application > uses external input to select which classes or code to use, but it does not > sufficiently prevent the input from selecting improper classes or code. > The snippet below shows the issue on line 588 and the method returns a new > instance on line 594 or 598. > CqlConfigHelper.java, lines 584-605: > {code:java} > 584 private static AuthProvider getClientAuthProvider(String > factoryClassName, Configuration conf) > 585 { > 586 try > 587 { > 588 Class<?> c = Class.forName(factoryClassName); > 589 if (PlainTextAuthProvider.class.equals(c)) > 590 { > 591 String username = getStringSetting(USERNAME, conf).or(""); > 592 String password = getStringSetting(PASSWORD, conf).or(""); > 593 return (AuthProvider) c.getConstructor(String.class, > String.class) > 594 .newInstance(username, password); > 595 } > 596 else > 597 { > 598 return (AuthProvider) c.newInstance(); > 599 } > 600 } > 601 catch (Exception e) > 602 { > 603 throw new RuntimeException("Failed to instantiate auth provider:" > + factoryClassName, e); > 604 } > 605 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)