[jira] [Updated] (CASSANDRA-12321) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code

Wed, 27 Jul 2016 14:28:38 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12321?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Ellis updated CASSANDRA-12321:
---------------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: CASSANDRA-12334

> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select 
> Classes or Code
> ------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-12321
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12321
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application 
> uses external input to select which classes or code to use, but it does not 
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue on lines 523-532 by instantiating a class 
> by name.
> CoalescingStrategies.java, lines 494-538:
> {code:java}
> 494 @VisibleForTesting
> 495 static CoalescingStrategy newCoalescingStrategy(String strategy,
> 496                                                 int coalesceWindow,
> 497                                                 Parker parker,
> 498                                                 Logger logger,
> 499                                                 String displayName)
> 500 {
> 501     String classname = null;
> 502     String strategyCleaned = strategy.trim().toUpperCase();
> 503     switch(strategyCleaned)
> 504     {
> 505     case "MOVINGAVERAGE":
> 506         classname = MovingAverageCoalescingStrategy.class.getName();
> 507         break;
> 508     case "FIXED":
> 509         classname = FixedCoalescingStrategy.class.getName();
> 510         break;
> 511     case "TIMEHORIZON":
> 512         classname = 
> TimeHorizonMovingAverageCoalescingStrategy.class.getName();
> 513         break;
> 514     case "DISABLED":
> 515         classname = DisabledCoalescingStrategy.class.getName();
> 516         break;
> 517     default:
> 518         classname = strategy;
> 519     }
> 520 
> 521     try
> 522     {
> 523         Class<?> clazz = Class.forName(classname);
> 524 
> 525         if (!CoalescingStrategy.class.isAssignableFrom(clazz))
> 526         {
> 527             throw new RuntimeException(classname + " is not an instance 
> of CoalescingStrategy");
> 528         }
> 529 
> 530         Constructor<?> constructor = clazz.getConstructor(int.class, 
> Parker.class, Logger.class, String.class);
> 531 
> 532         return 
> (CoalescingStrategy)constructor.newInstance(coalesceWindow, parker, logger, 
> displayName);
> 533     }
> 534     catch (Exception e)
> 535     {
> 536         throw new RuntimeException(e);
> 537     }
> 538 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to