[ https://issues.apache.org/jira/browse/CASSANDRA-12320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12320: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code > ------------------------------------------------------------------------------------------ > > Key: CASSANDRA-12320 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12320 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Dynamically loaded code has the potential to be malicious. The application > uses external input to select which classes or code to use, but it does not > sufficiently prevent the input from selecting improper classes or code. > The snippet below shows the issue on lines 537-539 and 568 by instantiating a > class by name. > BulkLoader.java, lines 521-577: > {code:java} > 521 public LoaderOptions validateArguments() > 522 { > 523 // Both username and password need to be provided > 524 if ((user != null) != (passwd != null)) > 525 errorMsg("Username and password must both be provided", > getCmdLineOptions()); > 526 > 527 if (user != null) > 528 { > 529 // Support for 3rd party auth providers that support plain text > credentials. > 530 // In this case the auth provider must provide a constructor of > the form: > 531 // > 532 // public MyAuthProvider(String username, String password) > 533 if (authProviderName != null) > 534 { > 535 try > 536 { > 537 Class authProviderClass = Class.forName(authProviderName); > 538 Constructor constructor = > authProviderClass.getConstructor(String.class, String.class); > 539 authProvider = > (AuthProvider)constructor.newInstance(user, passwd); > 540 } > 541 catch (ClassNotFoundException e) > 542 { > 543 errorMsg("Unknown auth provider: " + e.getMessage(), > getCmdLineOptions()); > 544 } > 545 catch (NoSuchMethodException e) > 546 { > 547 errorMsg("Auth provider does not support plain text > credentials: " + e.getMessage(), getCmdLineOptions()); > 548 } > 549 catch (InstantiationException | IllegalAccessException | > IllegalArgumentException | InvocationTargetException e) > 550 { > 551 errorMsg("Could not create auth provider with plain text > credentials: " + e.getMessage(), getCmdLineOptions()); > 552 } > 553 } > 554 else > 555 { > 556 // If a 3rd party auth provider wasn't provided use the > driver plain text provider > 557 authProvider = new PlainTextAuthProvider(user, passwd); > 558 } > 559 } > 560 // Alternate support for 3rd party auth providers that don't use > plain text credentials. > 561 // In this case the auth provider must provide a nullary constructor > of the form: > 562 // > 563 // public MyAuthProvider() > 564 else if (authProviderName != null) > 565 { > 566 try > 567 { > 568 authProvider = > (AuthProvider)Class.forName(authProviderName).newInstance(); > 569 } > 570 catch (ClassNotFoundException | InstantiationException | > IllegalAccessException e) > 571 { > 572 errorMsg("Unknown auth provider" + e.getMessage(), > getCmdLineOptions()); > 573 } > 574 } > 575 > 576 return this; > 577 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)