[jira] [Updated] (CASSANDRA-12318) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code

Wed, 27 Jul 2016 14:28:49 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Ellis updated CASSANDRA-12318:
---------------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: CASSANDRA-12334

> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select 
> Classes or Code
> ------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-12318
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12318
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application 
> uses external input to select which classes or code to use, but it does not 
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue on lines 144-146 by instantiating an object 
> associated with a class by name.
> CacheService.java, lines 135-162:
> {code:java}
> 135 private AutoSavingCache<RowCacheKey, IRowCacheEntry> initRowCache()
> 136 {
> 137     logger.info("Initializing row cache with capacity of {} MBs", 
> DatabaseDescriptor.getRowCacheSizeInMB());
> 138 
> 139     CacheProvider<RowCacheKey, IRowCacheEntry> cacheProvider;
> 140     String cacheProviderClassName = 
> DatabaseDescriptor.getRowCacheSizeInMB() > 0
> 141                                     ? 
> DatabaseDescriptor.getRowCacheClassName() : 
> "org.apache.cassandra.cache.NopCacheProvider";
> 142     try
> 143     {
> 144         Class<CacheProvider<RowCacheKey, IRowCacheEntry>> 
> cacheProviderClass =
> 145             (Class<CacheProvider<RowCacheKey, IRowCacheEntry>>) 
> Class.forName(cacheProviderClassName);
> 146         cacheProvider = cacheProviderClass.newInstance();
> 147     }
> 148     catch (Exception e)
> 149     {
> 150         throw new RuntimeException("Cannot find configured row cache 
> provider class " + DatabaseDescriptor.getRowCacheClassName());
> 151     }
> 152 
> 153     // cache object
> 154     ICache<RowCacheKey, IRowCacheEntry> rc = cacheProvider.create();
> 155     AutoSavingCache<RowCacheKey, IRowCacheEntry> rowCache = new 
> AutoSavingCache<>(rc, CacheType.ROW_CACHE, new RowCacheSerializer());
> 156 
> 157     int rowCacheKeysToSave = DatabaseDescriptor.getRowCacheKeysToSave();
> 158 
> 159     rowCache.scheduleSaving(DatabaseDescriptor.getRowCacheSavePeriod(), 
> rowCacheKeysToSave);
> 160 
> 161     return rowCache;
> 162 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to