[ https://issues.apache.org/jira/browse/CASSANDRA-12317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12317: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code > ------------------------------------------------------------------------------------------ > > Key: CASSANDRA-12317 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12317 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Dynamically loaded code has the potential to be malicious. The application > uses external input to select which classes or code to use, but it does not > sufficiently prevent the input from selecting improper classes or code. > The snippet below shows the issue which ends on line 198 by returning an > object associated with a class by name. > CompressionParams.java, lines 190-204: > {code:java} > 190 private static Class<?> parseCompressorClass(String className) throws > ConfigurationException > 191 { > 192 if (className == null || className.isEmpty()) > 193 return null; > 194 > 195 className = className.contains(".") ? className : > "org.apache.cassandra.io.compress." + className; > 196 try > 197 { > 198 return Class.forName(className); > 199 } > 200 catch (Exception e) > 201 { > 202 throw new ConfigurationException("Could not create Compression > for type " + className, e); > 203 } > 204 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)