[ https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan Ellis updated CASSANDRA-12328: --------------------------------------- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Path Manipulation > ----------------- > > Key: CASSANDRA-12328 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12328 > Project: Cassandra > Issue Type: Sub-task > Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are multiple places in the Cassandra source code where a string that > determines the path of a file is not examined prior to use. Path traversal > vulnerabilities are common software security problems and failure to validate > the path prior to open/creating a file may result in operating in a directory > that is outside the intended control sphere. > Path manipulation issues were found in the following locations: > CompactionManager.java Line 637 > Descriptor.java Line 224 > MetadataSerializer.java Line 83, 153 > CommitLog.java Line 199 > LogTransaction.java Line 311 > WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95 > LegacyMetadataSerializer.java Line 84 > FileUtils.java Line 116, 172, 354, 368, 386, 437 > RewindableDataInputStreamPlus.java Line 226 > CassandraDaemon.java Line 557 > NodeTool.java Line 261 > CustomClassLoader.java Line 77 > CoalescingStrategies.java Line 54, 150 > FBUtilities.java Line 309, 748 > The following snippet is from CompactionManager.java where unvalidated input > is parsed and used to create a new File object on line 637: > {code:java} > CompactionManager.java, lines 621-638: > 621 public void forceUserDefinedCompaction(String dataFiles) > 622 { > 623 String[] filenames = dataFiles.split(","); > 624 Multimap<ColumnFamilyStore, Descriptor> descriptors = > ArrayListMultimap.create(); > 625 > 626 for (String filename : filenames) > 627 { > 628 // extract keyspace and columnfamily name from filename > 629 Descriptor desc = Descriptor.fromFilename(filename.trim()); > 630 if (Schema.instance.getCFMetaData(desc) == null) > 631 { > 632 logger.warn("Schema does not exist for file {}. Skipping.", > filename); > 633 continue; > 634 } > 635 // group by keyspace/columnfamily > 636 ColumnFamilyStore cfs = > Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname); > 637 descriptors.put(cfs, cfs.getDirectories().find(new > File(filename.trim()).getName())); > 638 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)