[jira] [Created] (CASSANDRA-12321) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code

Wed, 27 Jul 2016 08:45:35 -0700 

Eduardo Aguinaga created CASSANDRA-12321:
--------------------------------------------

             Summary: Use of Dynamic Class Loading, Use of 
Externally-Controlled Input to Select Classes or Code
                 Key: CASSANDRA-12321
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12321
             Project: Cassandra
          Issue Type: Bug
            Reporter: Eduardo Aguinaga
             Fix For: 3.0.5


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of 
the Cassandra source code. The analysis included an automated analysis using HP 
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The 
results of that analysis includes the issue below.

Issue:
Dynamically loaded code has the potential to be malicious. The application uses 
external input to select which classes or code to use, but it does not 
sufficiently prevent the input from selecting improper classes or code.

The snippet below shows the issue on lines 523-532 by instantiating a class by 
name.

CoalescingStrategies.java, lines 494-538:
{code:java}
494 @VisibleForTesting
495 static CoalescingStrategy newCoalescingStrategy(String strategy,
496                                                 int coalesceWindow,
497                                                 Parker parker,
498                                                 Logger logger,
499                                                 String displayName)
500 {
501     String classname = null;
502     String strategyCleaned = strategy.trim().toUpperCase();
503     switch(strategyCleaned)
504     {
505     case "MOVINGAVERAGE":
506         classname = MovingAverageCoalescingStrategy.class.getName();
507         break;
508     case "FIXED":
509         classname = FixedCoalescingStrategy.class.getName();
510         break;
511     case "TIMEHORIZON":
512         classname = 
TimeHorizonMovingAverageCoalescingStrategy.class.getName();
513         break;
514     case "DISABLED":
515         classname = DisabledCoalescingStrategy.class.getName();
516         break;
517     default:
518         classname = strategy;
519     }
520 
521     try
522     {
523         Class<?> clazz = Class.forName(classname);
524 
525         if (!CoalescingStrategy.class.isAssignableFrom(clazz))
526         {
527             throw new RuntimeException(classname + " is not an instance of 
CoalescingStrategy");
528         }
529 
530         Constructor<?> constructor = clazz.getConstructor(int.class, 
Parker.class, Logger.class, String.class);
531 
532         return (CoalescingStrategy)constructor.newInstance(coalesceWindow, 
parker, logger, displayName);
533     }
534     catch (Exception e)
535     {
536         throw new RuntimeException(e);
537     }
538 }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to