[
https://issues.apache.org/jira/browse/CASSANDRA-12317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremiah Jordan updated CASSANDRA-12317:
----------------------------------------
Reproduced In: 3.0.5
Fix Version/s: (was: 3.0.5)
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code
> ------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-12317
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12317
> Project: Cassandra
> Issue Type: Bug
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application
> uses external input to select which classes or code to use, but it does not
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue which ends on line 198 by returning an
> object associated with a class by name.
> CompressionParams.java, lines 190-204:
> {code:java}
> 190 private static Class<?> parseCompressorClass(String className) throws
> ConfigurationException
> 191 {
> 192 if (className == null || className.isEmpty())
> 193 return null;
> 194
> 195 className = className.contains(".") ? className :
> "org.apache.cassandra.io.compress." + className;
> 196 try
> 197 {
> 198 return Class.forName(className);
> 199 }
> 200 catch (Exception e)
> 201 {
> 202 throw new ConfigurationException("Could not create Compression
> for type " + className, e);
> 203 }
> 204 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
