[ https://issues.apache.org/jira/browse/CASSANDRA-9890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-9890: -------------------------------------- Reviewer: T Jake Luciani > Bytecode inspection for Java-UDFs > --------------------------------- > > Key: CASSANDRA-9890 > URL: https://issues.apache.org/jira/browse/CASSANDRA-9890 > Project: Cassandra > Issue Type: Improvement > Reporter: Robert Stupp > Assignee: Robert Stupp > Fix For: 3.0.0 rc1 > > > (Follow-up to CASSANDRA-9402) > For Java-UDFs we could inspect the compiled Java byte code to find usages of > the Java language that are "forbidden" to UDFs. > These include usages of: > * {{synchronized}} keyword > * call to {{j.l.Object.wait}} > * call to {{j.l.Object.notify}} > * call to {{j.l.Object.notifyAll}} > * call to {{j.l.Object.getClass}} > * calls to specific methods of currently allowed classes in the driver (but > would need some investigation) > By inspecting the byte code _before_ the class is actually used, even dirty > constructs like the following would be impossible: > {noformat} > CREATE OR REPLACE FUNCTION ... AS $$ return Math.sin(val); > } > { > // anonymous initializer code > } > static { > // static initializer code > $$; > {noformat} > (inspired by [this blog > post|http://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)