[
https://issues.apache.org/jira/browse/CASSANDRA-12324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Ellis updated CASSANDRA-12324:
---------------------------------------
Issue Type: Sub-task (was: Bug)
Parent: CASSANDRA-12334
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code
> ------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-12324
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12324
> Project: Cassandra
> Issue Type: Sub-task
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application
> uses external input to select which classes or code to use, but it does not
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue which ends on line 436 by returning an
> object associated with a class by name.
> {code:java}
> FBUtilities.java, lines 432-442:
> 432 public static <T> Class<T> classForName(String classname, String
> readable) throws ConfigurationException
> 433 {
> 434 try
> 435 {
> 436 return (Class<T>)Class.forName(classname);
> 437 }
> 438 catch (ClassNotFoundException | NoClassDefFoundError e)
> 439 {
> 440 throw new ConfigurationException(String.format("Unable to find %s
> class '%s'", readable, classname), e);
> 441 }
> 442 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
