[jira] [Updated] (CASSANDRA-12308) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code

Wed, 27 Jul 2016 14:25:47 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Ellis updated CASSANDRA-12308:
---------------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: CASSANDRA-12334

> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select 
> Classes or Code
> ------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-12308
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12308
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application 
> uses external input to select which classes or code to use, but it does not 
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue which ends on line 585 by instantiating a 
> class by name.
> ConfigHelper.java, lines 558-591:
> {code:java}
> 558 @SuppressWarnings("resource")
> 559 public static Cassandra.Client createConnection(Configuration conf, 
> String host, Integer port) throws IOException
> 560 {
> 561     try
> 562     {
> 563         TTransport transport = 
> getClientTransportFactory(conf).openTransport(host, port);
> 564         return new Cassandra.Client(new TBinaryProtocol(transport, true, 
> true));
> 565     }
> 566     catch (Exception e)
> 567     {
> 568         throw new IOException("Unable to connect to server " + host + ":" 
> + port, e);
> 569     }
> 570 }
> 571 
> 572 public static ITransportFactory getClientTransportFactory(Configuration 
> conf)
> 573 {
> 574     String factoryClassName = conf.get(ITransportFactory.PROPERTY_KEY, 
> TFramedTransportFactory.class.getName());
> 575     ITransportFactory factory = 
> getClientTransportFactory(factoryClassName);
> 576     Map<String, String> options = getOptions(conf, 
> factory.supportedOptions());
> 577     factory.setOptions(options);
> 578     return factory;
> 579 }
> 580 
> 581 private static ITransportFactory getClientTransportFactory(String 
> factoryClassName)
> 582 {
> 583     try
> 584     {
> 585         return (ITransportFactory) 
> Class.forName(factoryClassName).newInstance();
> 586     }
> 587     catch (Exception e)
> 588     {
> 589         throw new RuntimeException("Failed to instantiate transport 
> factory:" + factoryClassName, e);
> 590     }
> 591 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to