[jira] [Updated] (CASSANDRA-12325) Access Specifier Manipulation

Wed, 27 Jul 2016 12:18:45 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Eduardo Aguinaga updated CASSANDRA-12325:
-----------------------------------------
    Reproduced In: 3.0.5
    Fix Version/s:     (was: 3.0.5)

> Access Specifier Manipulation
> -----------------------------
>
>                 Key: CASSANDRA-12325
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12325
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> There are 18 instances in the Cassandra source code where setAccessible() is 
> used to suppress Java language access checking. Static analysis automation 
> tools, like Fortify, will log every instance of the use of setAccessible() 
> and its use represents a possible security issue.
> The use of setAccessble() can cause security problems if the Java access 
> checking is suppressed longer than required or another approach could be 
> taken other than suppressing access checking. This issue will list all 18 
> instances where setAccessible() is used and the usage of this method should 
> be reviewed and checked to make sure it is not used inappropriately.
> setAccessible() is used in the following places:
> UDHelper.java Line 49
> HadoopCompat.java Line 109, 113, 118, 150, 152, 154
> Memory.java Line 42
> GCInspector.java Line 68
> Locks.java Line 33
> Ref.java Line 626
> FastByteOperations.java Line 150
> FBUtilities.java Line 539
> Hex.java Line 128
> MemoryUtil.java Line 61
> SyncUtil.java Line 33, 45, 57
> UDHelper.java, lines 45-56:
> {code:java}
> 45 try
> 46 {
> 47     Class<?> cls = 
> Class.forName("com.datastax.driver.core.DataTypeClassNameParser");
> 48     Method m = cls.getDeclaredMethod("parseOne", String.class, 
> ProtocolVersion.class, CodecRegistry.class);
> 49     m.setAccessible(true);
> 50     methodParseOne = MethodHandles.lookup().unreflect(m);
> 51     codecRegistry = new CodecRegistry();
> 52 }
> 53 catch (Exception e)
> 54 {
> 55     throw new RuntimeException(e);
> 56 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to