[ https://issues.apache.org/jira/browse/CASSANDRA-12318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12318: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code > ------------------------------------------------------------------------------------------ > > Key: CASSANDRA-12318 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12318 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Dynamically loaded code has the potential to be malicious. The application > uses external input to select which classes or code to use, but it does not > sufficiently prevent the input from selecting improper classes or code. > The snippet below shows the issue on lines 144-146 by instantiating an object > associated with a class by name. > CacheService.java, lines 135-162: > {code:java} > 135 private AutoSavingCache<RowCacheKey, IRowCacheEntry> initRowCache() > 136 { > 137 logger.info("Initializing row cache with capacity of {} MBs", > DatabaseDescriptor.getRowCacheSizeInMB()); > 138 > 139 CacheProvider<RowCacheKey, IRowCacheEntry> cacheProvider; > 140 String cacheProviderClassName = > DatabaseDescriptor.getRowCacheSizeInMB() > 0 > 141 ? > DatabaseDescriptor.getRowCacheClassName() : > "org.apache.cassandra.cache.NopCacheProvider"; > 142 try > 143 { > 144 Class<CacheProvider<RowCacheKey, IRowCacheEntry>> > cacheProviderClass = > 145 (Class<CacheProvider<RowCacheKey, IRowCacheEntry>>) > Class.forName(cacheProviderClassName); > 146 cacheProvider = cacheProviderClass.newInstance(); > 147 } > 148 catch (Exception e) > 149 { > 150 throw new RuntimeException("Cannot find configured row cache > provider class " + DatabaseDescriptor.getRowCacheClassName()); > 151 } > 152 > 153 // cache object > 154 ICache<RowCacheKey, IRowCacheEntry> rc = cacheProvider.create(); > 155 AutoSavingCache<RowCacheKey, IRowCacheEntry> rowCache = new > AutoSavingCache<>(rc, CacheType.ROW_CACHE, new RowCacheSerializer()); > 156 > 157 int rowCacheKeysToSave = DatabaseDescriptor.getRowCacheKeysToSave(); > 158 > 159 rowCache.scheduleSaving(DatabaseDescriptor.getRowCacheSavePeriod(), > rowCacheKeysToSave); > 160 > 161 return rowCache; > 162 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)