[
https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Ellis updated CASSANDRA-12328:
---------------------------------------
Issue Type: Sub-task (was: Bug)
Parent: CASSANDRA-12334
> Path Manipulation
> -----------------
>
> Key: CASSANDRA-12328
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12328
> Project: Cassandra
> Issue Type: Sub-task
> Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> There are multiple places in the Cassandra source code where a string that
> determines the path of a file is not examined prior to use. Path traversal
> vulnerabilities are common software security problems and failure to validate
> the path prior to open/creating a file may result in operating in a directory
> that is outside the intended control sphere.
> Path manipulation issues were found in the following locations:
> CompactionManager.java Line 637
> Descriptor.java Line 224
> MetadataSerializer.java Line 83, 153
> CommitLog.java Line 199
> LogTransaction.java Line 311
> WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95
> LegacyMetadataSerializer.java Line 84
> FileUtils.java Line 116, 172, 354, 368, 386, 437
> RewindableDataInputStreamPlus.java Line 226
> CassandraDaemon.java Line 557
> NodeTool.java Line 261
> CustomClassLoader.java Line 77
> CoalescingStrategies.java Line 54, 150
> FBUtilities.java Line 309, 748
> The following snippet is from CompactionManager.java where unvalidated input
> is parsed and used to create a new File object on line 637:
> {code:java}
> CompactionManager.java, lines 621-638:
> 621 public void forceUserDefinedCompaction(String dataFiles)
> 622 {
> 623 String[] filenames = dataFiles.split(",");
> 624 Multimap<ColumnFamilyStore, Descriptor> descriptors =
> ArrayListMultimap.create();
> 625
> 626 for (String filename : filenames)
> 627 {
> 628 // extract keyspace and columnfamily name from filename
> 629 Descriptor desc = Descriptor.fromFilename(filename.trim());
> 630 if (Schema.instance.getCFMetaData(desc) == null)
> 631 {
> 632 logger.warn("Schema does not exist for file {}. Skipping.",
> filename);
> 633 continue;
> 634 }
> 635 // group by keyspace/columnfamily
> 636 ColumnFamilyStore cfs =
> Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname);
> 637 descriptors.put(cfs, cfs.getDirectories().find(new
> File(filename.trim()).getName()));
> 638 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
