[jira] [Assigned] (CASSANDRA-12297) Privacy Violation - Heap Inspection

Wed, 03 Oct 2018 11:22:18 -0700 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-12297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jason Brown reassigned CASSANDRA-12297:
---------------------------------------

    Assignee:     (was: Jason Brown)

> Privacy Violation - Heap Inspection
> -----------------------------------
>
>                 Key: CASSANDRA-12297
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12297
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>            Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 
> of the Cassandra source code. The analysis included 
> an automated analysis using HP Fortify v4.21 SCA and a manual analysis 
> utilizing SciTools Understand v4. The results of that 
> analysis includes the issue below.
> Issue:
> In the file PasswordAuthenticator.java on line 129, 164 and 222 a string 
> object is used to store sensitive data. String objects are immutable and 
> should not be used to store sensitive data. Sensitive data should be stored 
> in char or byte arrays and the contents of those arrays should be cleared 
> ASAP. Operations performed on string objects will require that the original 
> object be copied and the operation be applied in the new copy of the string 
> object. This results in the likelihood that multiple copies of sensitive data 
> being present in the heap until garbage collection takes place.
> The snippet below shows the issue on line 129:
> PasswordAuthenticator.java, lines 123-134:
> {code:java}
> 123 public AuthenticatedUser legacyAuthenticate(Map<String, String> 
> credentials) throws AuthenticationException
> 124 {
> 125     String username = credentials.get(USERNAME_KEY);
> 126     if (username == null)
> 127         throw new AuthenticationException(String.format("Required key 
> '%s' is missing", USERNAME_KEY));
> 128 
> 129     String password = credentials.get(PASSWORD_KEY);
> 130     if (password == null)
> 131         throw new AuthenticationException(String.format("Required key 
> '%s' is missing", PASSWORD_KEY));
> 132 
> 133     return authenticate(username, password);
> 134 }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to