[jira] [Updated] (CASSANDRA-12322) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code

Sun, 18 Nov 2018 18:29:25 -0800 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

C. Scott Andreas updated CASSANDRA-12322:
-----------------------------------------
    Component/s: Core

> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select 
> Classes or Code
> ------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-12322
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12322
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Core
>            Reporter: Eduardo Aguinaga
>            Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application 
> uses external input to select which classes or code to use, but it does not 
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue on lines 112-116 by instantiating a class 
> by name.
> FastByteOperations.java, lines 103-127:
> {code:java}
> 103     static ByteOperations getBest()
> 104     {
> 105         String arch = System.getProperty("os.arch");
> 106         boolean unaligned = arch.equals("i386") || arch.equals("x86")
> 107                             || arch.equals("amd64") || 
> arch.equals("x86_64") || arch.equals("s390x");
> 108         if (!unaligned)
> 109             return new PureJavaOperations();
> 110         try
> 111         {
> 112             Class<?> theClass = Class.forName(UNSAFE_COMPARER_NAME);
> 113 
> 114             // yes, UnsafeComparer does implement Comparer<byte[]>
> 115             @SuppressWarnings("unchecked")
> 116             ByteOperations comparer = (ByteOperations) 
> theClass.getConstructor().newInstance();
> 117             return comparer;
> 118         }
> 119         catch (Throwable t)
> 120         {
> 121             JVMStabilityInspector.inspectThrowable(t);
> 122             // ensure we really catch *everything*
> 123             return new PureJavaOperations();
> 124         }
> 125     }
> 126 
> 127 }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to