[
https://issues.apache.org/jira/browse/LANG-1079?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benedikt Ritter resolved LANG-1079.
-----------------------------------
Resolution: Invalid
Fix Version/s: (was: 3.x)
Closing this as invalid.
> BUG -Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
> Reflection') ClassUtils
> ---------------------------------------------------------------------------------------------------
>
> Key: LANG-1079
> URL: https://issues.apache.org/jira/browse/LANG-1079
> Project: Commons Lang
> Issue Type: Bug
> Components: lang.*
> Affects Versions: 3.x
> Reporter: David Camilo Espitia Manrique
> Priority: Minor
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> we are currently using "commons-lang3-3.0" and in the analysis of veracode
> found this bug in "ClassUtils line 792":
> Description:
> A call uses reflection in an unsafe manner. An attacker can specify the class
> name to be instantiated, which may
> create unexpected control flow paths through the application. Depending on
> how reflection is being used, the attack
> vector may allow the attacker to bypass security checks or otherwise cause
> the application to behave in an unexpected
> manner. Even if the object does not implement the specified interface and a
> ClassCastException is thrown, the
> constructor of the user-supplied class name will have already executed.
> Recommendations:
> Validate the class name against a combination of white and black lists to
> ensure that only expected behavior is
> produced.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
