[ https://issues.apache.org/jira/browse/CASSANDRA-12324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
C. Scott Andreas updated CASSANDRA-12324: ----------------------------------------- Component/s: (was: Libraries) Core > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code > ------------------------------------------------------------------------------------------ > > Key: CASSANDRA-12324 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12324 > Project: Cassandra > Issue Type: Sub-task > Components: Core > Reporter: Eduardo Aguinaga > Priority: Major > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > Dynamically loaded code has the potential to be malicious. The application > uses external input to select which classes or code to use, but it does not > sufficiently prevent the input from selecting improper classes or code. > The snippet below shows the issue which ends on line 436 by returning an > object associated with a class by name. > {code:java} > FBUtilities.java, lines 432-442: > 432 public static <T> Class<T> classForName(String classname, String > readable) throws ConfigurationException > 433 { > 434 try > 435 { > 436 return (Class<T>)Class.forName(classname); > 437 } > 438 catch (ClassNotFoundException | NoClassDefFoundError e) > 439 { > 440 throw new ConfigurationException(String.format("Unable to find %s > class '%s'", readable, classname), e); > 441 } > 442 } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org