[
https://issues.apache.org/jira/browse/CASSANDRA-12319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
C. Scott Andreas updated CASSANDRA-12319:
-----------------------------------------
Component/s: Core
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code
> ------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-12319
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12319
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Eduardo Aguinaga
> Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5
> of the Cassandra source code. The analysis included an automated analysis
> using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools
> Understand v4. The results of that analysis includes the issue below.
> Issue:
> Dynamically loaded code has the potential to be malicious. The application
> uses external input to select which classes or code to use, but it does not
> sufficiently prevent the input from selecting improper classes or code.
> The snippet below shows the issue which ends on line 63 by instantiating a
> class by name.
> TServerCustomFactory.java, lines 41-73:
> {code:java}
> 41 public TServer buildTServer(TServerFactory.Args args)
> 42 {
> 43 TServer server;
> 44 if (ThriftServer.SYNC.equalsIgnoreCase(serverType))
> 45 {
> 46 server = new CustomTThreadPoolServer.Factory().buildTServer(args);
> 47 }
> 48 else if(ThriftServer.ASYNC.equalsIgnoreCase(serverType))
> 49 {
> 50 server = new CustomTNonBlockingServer.Factory().buildTServer(args);
> 51 logger.info(String.format("Using non-blocking/asynchronous thrift
> server on %s : %s", args.addr.getHostName(), args.addr.getPort()));
> 52 }
> 53 else if(ThriftServer.HSHA.equalsIgnoreCase(serverType))
> 54 {
> 55 server = new THsHaDisruptorServer.Factory().buildTServer(args);
> 56 logger.info(String.format("Using custom half-sync/half-async
> thrift server on %s : %s", args.addr.getHostName(), args.addr.getPort()));
> 57 }
> 58 else
> 59 {
> 60 TServerFactory serverFactory;
> 61 try
> 62 {
> 63 serverFactory = (TServerFactory)
> Class.forName(serverType).newInstance();
> 64 }
> 65 catch (Exception e)
> 66 {
> 67 throw new RuntimeException("Failed to instantiate server
> factory:" + serverType, e);
> 68 }
> 69 server = serverFactory.buildTServer(args);
> 70 logger.info(String.format("Using custom thrift server %s on %s :
> %s", server.getClass().getName(), args.addr.getHostName(),
> args.addr.getPort()));
> 71 }
> 72 return server;
> 73 }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
