[jira] [Updated] (CASSANDRA-12328) Path Manipulation

Wed, 27 Jul 2016 14:35:52 -0700 

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan Ellis updated CASSANDRA-12328:
---------------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: CASSANDRA-12334

> Path Manipulation
> -----------------
>
>                 Key: CASSANDRA-12328
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12328
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included an automated analysis 
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools 
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> There are multiple places in the Cassandra source code where a string that 
> determines the path of a file is not examined prior to use. Path traversal 
> vulnerabilities are common software security problems and failure to validate 
> the path prior to open/creating a file may result in operating in a directory 
> that is outside the intended control sphere.
> Path manipulation issues were found in the following locations:
> CompactionManager.java Line 637
> Descriptor.java Line 224
> MetadataSerializer.java Line 83, 153
> CommitLog.java Line 199
> LogTransaction.java Line 311
> WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95
> LegacyMetadataSerializer.java Line 84
> FileUtils.java Line 116, 172, 354, 368, 386, 437
> RewindableDataInputStreamPlus.java Line 226
> CassandraDaemon.java Line 557
> NodeTool.java Line 261
> CustomClassLoader.java Line 77
> CoalescingStrategies.java Line 54, 150
> FBUtilities.java Line 309, 748
> The following snippet is from CompactionManager.java where unvalidated input 
> is parsed and used to create a new File object on line 637:
> {code:java}
> CompactionManager.java, lines 621-638:
> 621 public void forceUserDefinedCompaction(String dataFiles)
> 622 {
> 623     String[] filenames = dataFiles.split(",");
> 624     Multimap<ColumnFamilyStore, Descriptor> descriptors = 
> ArrayListMultimap.create();
> 625 
> 626     for (String filename : filenames)
> 627     {
> 628         // extract keyspace and columnfamily name from filename
> 629         Descriptor desc = Descriptor.fromFilename(filename.trim());
> 630         if (Schema.instance.getCFMetaData(desc) == null)
> 631         {
> 632             logger.warn("Schema does not exist for file {}. Skipping.", 
> filename);
> 633             continue;
> 634         }
> 635         // group by keyspace/columnfamily
> 636         ColumnFamilyStore cfs = 
> Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname);
> 637         descriptors.put(cfs, cfs.getDirectories().find(new 
> File(filename.trim()).getName()));
> 638     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to