[ https://issues.apache.org/jira/browse/CASSANDRA-12324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15396194#comment-15396194 ]
Eduardo Aguinaga commented on CASSANDRA-12324: ---------------------------------------------- Thank you...updating all me entries. > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code > ------------------------------------------------------------------------------------------ > > Key: CASSANDRA-12324 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12324 > Project: Cassandra > Issue Type: Bug > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Dynamically loaded code has the potential to be malicious. The application > uses external input to select which classes or code to use, but it does not > sufficiently prevent the input from selecting improper classes or code. > The snippet below shows the issue which ends on line 436 by returning an > object associated with a class by name. > {code:java} > FBUtilities.java, lines 432-442: > 432 public static <T> Class<T> classForName(String classname, String > readable) throws ConfigurationException > 433 { > 434 try > 435 { > 436 return (Class<T>)Class.forName(classname); > 437 } > 438 catch (ClassNotFoundException | NoClassDefFoundError e) > 439 { > 440 throw new ConfigurationException(String.format("Unable to find %s > class '%s'", readable, classname), e); > 441 } > 442 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)