[
https://issues.apache.org/jira/browse/CAMEL-7072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonid Marushevskiy updated CAMEL-7072:
---------------------------------------
Description:
Pull request https://github.com/apache/camel/pull/68
During Veracode scan of our application we discover issue with security in
Camel. Please review our fix and apply it in future versions.
Quote from Veracode report below:
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
Reflection') (CWE ID470)(1 flaw)
Description
A call uses reflection in an unsafe manner. An attacker can specify the class
name to be instantiated, which may
create unexpected control flow paths through the application. Depending on how
reflection is being used, the attack
vector may allow the attacker to bypass security checks or otherwise cause the
application to behave in an unexpected
manner. Even if the object does not implement the specified interface and a
ClassCastException is thrown, the
constructor of the user-supplied class name will have already executed.
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1
day to fix.
Recommendations
Validate the class name against a combination of white and black lists to
ensure that only expected behavior is
produced.
Instances found via Static Scan
Module # Class # Module Location Fix By Flaw Id
.../AnnotationTypeConverterLoader.java - line 168
was:
During Veracode scan of our application we discover issue with security in
Camel. Please review our fix and apply it in future versions.
Quote from Veracode report below:
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
Reflection') (CWE ID470)(1 flaw)
Description
A call uses reflection in an unsafe manner. An attacker can specify the class
name to be instantiated, which may
create unexpected control flow paths through the application. Depending on how
reflection is being used, the attack
vector may allow the attacker to bypass security checks or otherwise cause the
application to behave in an unexpected
manner. Even if the object does not implement the specified interface and a
ClassCastException is thrown, the
constructor of the user-supplied class name will have already executed.
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1
day to fix.
Recommendations
Validate the class name against a combination of white and black lists to
ensure that only expected behavior is
produced.
Instances found via Static Scan
Module # Class # Module Location Fix By Flaw Id
.../AnnotationTypeConverterLoader.java - line 168
> Veracode compliance. Use of Externally-Controlled Input to Select Classes or
> Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CAMEL-7072
> URL: https://issues.apache.org/jira/browse/CAMEL-7072
> Project: Camel
> Issue Type: Improvement
> Affects Versions: 2.12.2
> Reporter: Leonid Marushevskiy
> Labels: Security, Veracode
>
> Pull request https://github.com/apache/camel/pull/68
> During Veracode scan of our application we discover issue with security in
> Camel. Please review our fix and apply it in future versions.
> Quote from Veracode report below:
> Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
> Reflection') (CWE ID470)(1 flaw)
> Description
> A call uses reflection in an unsafe manner. An attacker can specify the class
> name to be instantiated, which may
> create unexpected control flow paths through the application. Depending on
> how reflection is being used, the attack
> vector may allow the attacker to bypass security checks or otherwise cause
> the application to behave in an unexpected
> manner. Even if the object does not implement the specified interface and a
> ClassCastException is thrown, the
> constructor of the user-supplied class name will have already executed.
> Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1
> day to fix.
> Recommendations
> Validate the class name against a combination of white and black lists to
> ensure that only expected behavior is
> produced.
> Instances found via Static Scan
> Module # Class # Module Location Fix By Flaw Id
> .../AnnotationTypeConverterLoader.java - line 168
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
