[
https://issues.apache.org/jira/browse/CASSANDRA-12321?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Ellis updated CASSANDRA-12321:
---------------------------------------
Issue Type: Sub-task (was: Bug)
Parent: CASSANDRA-12334
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code
> ------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-12321
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12321
> Project: Cassandra
> Issue Type: Sub-task
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application
> uses external input to select which classes or code to use, but it does not
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue on lines 523-532 by instantiating a class
> by name.
> CoalescingStrategies.java, lines 494-538:
> {code:java}
> 494 @VisibleForTesting
> 495 static CoalescingStrategy newCoalescingStrategy(String strategy,
> 496 int coalesceWindow,
> 497 Parker parker,
> 498 Logger logger,
> 499 String displayName)
> 500 {
> 501 String classname = null;
> 502 String strategyCleaned = strategy.trim().toUpperCase();
> 503 switch(strategyCleaned)
> 504 {
> 505 case "MOVINGAVERAGE":
> 506 classname = MovingAverageCoalescingStrategy.class.getName();
> 507 break;
> 508 case "FIXED":
> 509 classname = FixedCoalescingStrategy.class.getName();
> 510 break;
> 511 case "TIMEHORIZON":
> 512 classname =
> TimeHorizonMovingAverageCoalescingStrategy.class.getName();
> 513 break;
> 514 case "DISABLED":
> 515 classname = DisabledCoalescingStrategy.class.getName();
> 516 break;
> 517 default:
> 518 classname = strategy;
> 519 }
> 520
> 521 try
> 522 {
> 523 Class<?> clazz = Class.forName(classname);
> 524
> 525 if (!CoalescingStrategy.class.isAssignableFrom(clazz))
> 526 {
> 527 throw new RuntimeException(classname + " is not an instance
> of CoalescingStrategy");
> 528 }
> 529
> 530 Constructor<?> constructor = clazz.getConstructor(int.class,
> Parker.class, Logger.class, String.class);
> 531
> 532 return
> (CoalescingStrategy)constructor.newInstance(coalesceWindow, parker, logger,
> displayName);
> 533 }
> 534 catch (Exception e)
> 535 {
> 536 throw new RuntimeException(e);
> 537 }
> 538 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
