[
https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eduardo Aguinaga updated CASSANDRA-12328:
-----------------------------------------
Description:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
There are multiple places in the Cassandra source code where a string that
determines the path of a file is not examined prior to use. Path traversal
vulnerabilities are common software security problems and failure to validate
the path prior to open/creating a file may result in operating in a directory
that is outside the intended control sphere.
Path manipulation issues were found in the following locations:
CompactionManager.java Line 637
Descriptor.java Line 224
MetadataSerializer.java Line 83, 153
CommitLog.java Line 199
LogTransaction.java Line 311
WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95
LegacyMetadataSerializer.java Line 84
FileUtils.java Line 116, 172, 354, 368, 386, 437
RewindableDataInputStreamPlus.java Line 226
CassandraDaemon.java Line 557
NodeTool.java Line 261
CustomClassLoader.java Line 77
CoalescingStrategies.java Line 54, 150
FBUtilities.java Line 309, 748
The following snippet is from CompactionManager.java where unvalidated input is
parsed and used to create a new File object on line 637:
{code:java}
CompactionManager.java, lines 621-638:
621 public void forceUserDefinedCompaction(String dataFiles)
622 {
623 String[] filenames = dataFiles.split(",");
624 Multimap<ColumnFamilyStore, Descriptor> descriptors =
ArrayListMultimap.create();
625
626 for (String filename : filenames)
627 {
628 // extract keyspace and columnfamily name from filename
629 Descriptor desc = Descriptor.fromFilename(filename.trim());
630 if (Schema.instance.getCFMetaData(desc) == null)
631 {
632 logger.warn("Schema does not exist for file {}. Skipping.",
filename);
633 continue;
634 }
635 // group by keyspace/columnfamily
636 ColumnFamilyStore cfs =
Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname);
637 descriptors.put(cfs, cfs.getDirectories().find(new
File(filename.trim()).getName()));
638 }
{code}
was:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of
the Cassandra source code. The analysis included an automated analysis using HP
Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The
results of that analysis includes the issue below.
Issue:
There are several places in the Cassandra source code where a string that
determines the path of a file is not examined prior to use. Path traversal
vulnerabilities are common software security problems and failure to validate
the path prior to open/creating a file may result in operating in a directory
that is outside the intended control sphere.
Path manipulation issues were found in the following locations:
CompactionManager.java Line 637
Descriptor.java Line 224
MetadataSerializer.java Line 83
The following snippet is from CompactionManager.java where unvalidated input is
parsed and used to create a new File object on line 637:
{code:java}
CompactionManager.java, lines 621-638:
621 public void forceUserDefinedCompaction(String dataFiles)
622 {
623 String[] filenames = dataFiles.split(",");
624 Multimap<ColumnFamilyStore, Descriptor> descriptors =
ArrayListMultimap.create();
625
626 for (String filename : filenames)
627 {
628 // extract keyspace and columnfamily name from filename
629 Descriptor desc = Descriptor.fromFilename(filename.trim());
630 if (Schema.instance.getCFMetaData(desc) == null)
631 {
632 logger.warn("Schema does not exist for file {}. Skipping.",
filename);
633 continue;
634 }
635 // group by keyspace/columnfamily
636 ColumnFamilyStore cfs =
Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname);
637 descriptors.put(cfs, cfs.getDirectories().find(new
File(filename.trim()).getName()));
638 }
{code}
> Path Manipulation
> -----------------
>
> Key: CASSANDRA-12328
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12328
> Project: Cassandra
> Issue Type: Bug
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> There are multiple places in the Cassandra source code where a string that
> determines the path of a file is not examined prior to use. Path traversal
> vulnerabilities are common software security problems and failure to validate
> the path prior to open/creating a file may result in operating in a directory
> that is outside the intended control sphere.
> Path manipulation issues were found in the following locations:
> CompactionManager.java Line 637
> Descriptor.java Line 224
> MetadataSerializer.java Line 83, 153
> CommitLog.java Line 199
> LogTransaction.java Line 311
> WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95
> LegacyMetadataSerializer.java Line 84
> FileUtils.java Line 116, 172, 354, 368, 386, 437
> RewindableDataInputStreamPlus.java Line 226
> CassandraDaemon.java Line 557
> NodeTool.java Line 261
> CustomClassLoader.java Line 77
> CoalescingStrategies.java Line 54, 150
> FBUtilities.java Line 309, 748
> The following snippet is from CompactionManager.java where unvalidated input
> is parsed and used to create a new File object on line 637:
> {code:java}
> CompactionManager.java, lines 621-638:
> 621 public void forceUserDefinedCompaction(String dataFiles)
> 622 {
> 623 String[] filenames = dataFiles.split(",");
> 624 Multimap<ColumnFamilyStore, Descriptor> descriptors =
> ArrayListMultimap.create();
> 625
> 626 for (String filename : filenames)
> 627 {
> 628 // extract keyspace and columnfamily name from filename
> 629 Descriptor desc = Descriptor.fromFilename(filename.trim());
> 630 if (Schema.instance.getCFMetaData(desc) == null)
> 631 {
> 632 logger.warn("Schema does not exist for file {}. Skipping.",
> filename);
> 633 continue;
> 634 }
> 635 // group by keyspace/columnfamily
> 636 ColumnFamilyStore cfs =
> Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname);
> 637 descriptors.put(cfs, cfs.getDirectories().find(new
> File(filename.trim()).getName()));
> 638 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
