[
https://issues.apache.org/jira/browse/CASSANDRA-12320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremiah Jordan updated CASSANDRA-12320:
----------------------------------------
Reproduced In: 3.0.5
Fix Version/s: (was: 3.0.5)
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code
> ------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-12320
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12320
> Project: Cassandra
> Issue Type: Bug
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application
> uses external input to select which classes or code to use, but it does not
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue on lines 537-539 and 568 by instantiating a
> class by name.
> BulkLoader.java, lines 521-577:
> {code:java}
> 521 public LoaderOptions validateArguments()
> 522 {
> 523 // Both username and password need to be provided
> 524 if ((user != null) != (passwd != null))
> 525 errorMsg("Username and password must both be provided",
> getCmdLineOptions());
> 526
> 527 if (user != null)
> 528 {
> 529 // Support for 3rd party auth providers that support plain text
> credentials.
> 530 // In this case the auth provider must provide a constructor of
> the form:
> 531 //
> 532 // public MyAuthProvider(String username, String password)
> 533 if (authProviderName != null)
> 534 {
> 535 try
> 536 {
> 537 Class authProviderClass = Class.forName(authProviderName);
> 538 Constructor constructor =
> authProviderClass.getConstructor(String.class, String.class);
> 539 authProvider =
> (AuthProvider)constructor.newInstance(user, passwd);
> 540 }
> 541 catch (ClassNotFoundException e)
> 542 {
> 543 errorMsg("Unknown auth provider: " + e.getMessage(),
> getCmdLineOptions());
> 544 }
> 545 catch (NoSuchMethodException e)
> 546 {
> 547 errorMsg("Auth provider does not support plain text
> credentials: " + e.getMessage(), getCmdLineOptions());
> 548 }
> 549 catch (InstantiationException | IllegalAccessException |
> IllegalArgumentException | InvocationTargetException e)
> 550 {
> 551 errorMsg("Could not create auth provider with plain text
> credentials: " + e.getMessage(), getCmdLineOptions());
> 552 }
> 553 }
> 554 else
> 555 {
> 556 // If a 3rd party auth provider wasn't provided use the
> driver plain text provider
> 557 authProvider = new PlainTextAuthProvider(user, passwd);
> 558 }
> 559 }
> 560 // Alternate support for 3rd party auth providers that don't use
> plain text credentials.
> 561 // In this case the auth provider must provide a nullary constructor
> of the form:
> 562 //
> 563 // public MyAuthProvider()
> 564 else if (authProviderName != null)
> 565 {
> 566 try
> 567 {
> 568 authProvider =
> (AuthProvider)Class.forName(authProviderName).newInstance();
> 569 }
> 570 catch (ClassNotFoundException | InstantiationException |
> IllegalAccessException e)
> 571 {
> 572 errorMsg("Unknown auth provider" + e.getMessage(),
> getCmdLineOptions());
> 573 }
> 574 }
> 575
> 576 return this;
> 577 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
