Eduardo Aguinaga created CASSANDRA-12317:
--------------------------------------------

             Summary: Use of Dynamic Class Loading, Use of 
Externally-Controlled Input to Select Classes or Code
                 Key: CASSANDRA-12317
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12317
             Project: Cassandra
          Issue Type: Bug
            Reporter: Eduardo Aguinaga
             Fix For: 3.0.5


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of 
the Cassandra source code. The analysis included an automated analysis using HP 
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The 
results of that analysis includes the issue below.

Issue:
Dynamically loaded code has the potential to be malicious. The application uses 
external input to select which classes or code to use, but it does not 
sufficiently prevent the input from selecting improper classes or code.

The snippet below shows the issue which ends on line 198 by returning an object 
associated with a class by name.

CompressionParams.java, lines 190-204:
{code:java}
190 private static Class<?> parseCompressorClass(String className) throws 
ConfigurationException
191 {
192     if (className == null || className.isEmpty())
193         return null;
194 
195     className = className.contains(".") ? className : 
"org.apache.cassandra.io.compress." + className;
196     try
197     {
198         return Class.forName(className);
199     }
200     catch (Exception e)
201     {
202         throw new ConfigurationException("Could not create Compression for 
type " + className, e);
203     }
204 }
{code}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to