[jira] [Updated] (CASSANDRA-12328) Path Manipulation
[ https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] C. Scott Andreas updated CASSANDRA-12328: - Component/s: Compaction > Path Manipulation > - > > Key: CASSANDRA-12328 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12328 > Project: Cassandra > Issue Type: Sub-task > Components: Compaction >Reporter: Eduardo Aguinaga >Priority: Major > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are multiple places in the Cassandra source code where a string that > determines the path of a file is not examined prior to use. Path traversal > vulnerabilities are common software security problems and failure to validate > the path prior to open/creating a file may result in operating in a directory > that is outside the intended control sphere. > Path manipulation issues were found in the following locations: > CompactionManager.java Line 637 > Descriptor.java Line 224 > MetadataSerializer.java Line 83, 153 > CommitLog.java Line 199 > LogTransaction.java Line 311 > WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95 > LegacyMetadataSerializer.java Line 84 > FileUtils.java Line 116, 172, 354, 368, 386, 437 > RewindableDataInputStreamPlus.java Line 226 > CassandraDaemon.java Line 557 > NodeTool.java Line 261 > CustomClassLoader.java Line 77 > CoalescingStrategies.java Line 54, 150 > FBUtilities.java Line 309, 748 > The following snippet is from CompactionManager.java where unvalidated input > is parsed and used to create a new File object on line 637: > {code:java} > CompactionManager.java, lines 621-638: > 621 public void forceUserDefinedCompaction(String dataFiles) > 622 { > 623 String[] filenames = dataFiles.split(","); > 624 Multimap descriptors = > ArrayListMultimap.create(); > 625 > 626 for (String filename : filenames) > 627 { > 628 // extract keyspace and columnfamily name from filename > 629 Descriptor desc = Descriptor.fromFilename(filename.trim()); > 630 if (Schema.instance.getCFMetaData(desc) == null) > 631 { > 632 logger.warn("Schema does not exist for file {}. Skipping.", > filename); > 633 continue; > 634 } > 635 // group by keyspace/columnfamily > 636 ColumnFamilyStore cfs = > Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname); > 637 descriptors.put(cfs, cfs.getDirectories().find(new > File(filename.trim()).getName())); > 638 } > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-12328) Path Manipulation
[ https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jonathan Ellis updated CASSANDRA-12328: --- Issue Type: Sub-task (was: Bug) Parent: CASSANDRA-12334 > Path Manipulation > - > > Key: CASSANDRA-12328 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12328 > Project: Cassandra > Issue Type: Sub-task >Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are multiple places in the Cassandra source code where a string that > determines the path of a file is not examined prior to use. Path traversal > vulnerabilities are common software security problems and failure to validate > the path prior to open/creating a file may result in operating in a directory > that is outside the intended control sphere. > Path manipulation issues were found in the following locations: > CompactionManager.java Line 637 > Descriptor.java Line 224 > MetadataSerializer.java Line 83, 153 > CommitLog.java Line 199 > LogTransaction.java Line 311 > WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95 > LegacyMetadataSerializer.java Line 84 > FileUtils.java Line 116, 172, 354, 368, 386, 437 > RewindableDataInputStreamPlus.java Line 226 > CassandraDaemon.java Line 557 > NodeTool.java Line 261 > CustomClassLoader.java Line 77 > CoalescingStrategies.java Line 54, 150 > FBUtilities.java Line 309, 748 > The following snippet is from CompactionManager.java where unvalidated input > is parsed and used to create a new File object on line 637: > {code:java} > CompactionManager.java, lines 621-638: > 621 public void forceUserDefinedCompaction(String dataFiles) > 622 { > 623 String[] filenames = dataFiles.split(","); > 624 Multimap descriptors = > ArrayListMultimap.create(); > 625 > 626 for (String filename : filenames) > 627 { > 628 // extract keyspace and columnfamily name from filename > 629 Descriptor desc = Descriptor.fromFilename(filename.trim()); > 630 if (Schema.instance.getCFMetaData(desc) == null) > 631 { > 632 logger.warn("Schema does not exist for file {}. Skipping.", > filename); > 633 continue; > 634 } > 635 // group by keyspace/columnfamily > 636 ColumnFamilyStore cfs = > Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname); > 637 descriptors.put(cfs, cfs.getDirectories().find(new > File(filename.trim()).getName())); > 638 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CASSANDRA-12328) Path Manipulation
[ https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eduardo Aguinaga updated CASSANDRA-12328: - Description: Overview: In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below. Issue: There are multiple places in the Cassandra source code where a string that determines the path of a file is not examined prior to use. Path traversal vulnerabilities are common software security problems and failure to validate the path prior to open/creating a file may result in operating in a directory that is outside the intended control sphere. Path manipulation issues were found in the following locations: CompactionManager.java Line 637 Descriptor.java Line 224 MetadataSerializer.java Line 83, 153 CommitLog.java Line 199 LogTransaction.java Line 311 WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95 LegacyMetadataSerializer.java Line 84 FileUtils.java Line 116, 172, 354, 368, 386, 437 RewindableDataInputStreamPlus.java Line 226 CassandraDaemon.java Line 557 NodeTool.java Line 261 CustomClassLoader.java Line 77 CoalescingStrategies.java Line 54, 150 FBUtilities.java Line 309, 748 The following snippet is from CompactionManager.java where unvalidated input is parsed and used to create a new File object on line 637: {code:java} CompactionManager.java, lines 621-638: 621 public void forceUserDefinedCompaction(String dataFiles) 622 { 623 String[] filenames = dataFiles.split(","); 624 Multimap descriptors = ArrayListMultimap.create(); 625 626 for (String filename : filenames) 627 { 628 // extract keyspace and columnfamily name from filename 629 Descriptor desc = Descriptor.fromFilename(filename.trim()); 630 if (Schema.instance.getCFMetaData(desc) == null) 631 { 632 logger.warn("Schema does not exist for file {}. Skipping.", filename); 633 continue; 634 } 635 // group by keyspace/columnfamily 636 ColumnFamilyStore cfs = Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname); 637 descriptors.put(cfs, cfs.getDirectories().find(new File(filename.trim()).getName())); 638 } {code} was: Overview: In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below. Issue: There are several places in the Cassandra source code where a string that determines the path of a file is not examined prior to use. Path traversal vulnerabilities are common software security problems and failure to validate the path prior to open/creating a file may result in operating in a directory that is outside the intended control sphere. Path manipulation issues were found in the following locations: CompactionManager.java Line 637 Descriptor.java Line 224 MetadataSerializer.java Line 83 The following snippet is from CompactionManager.java where unvalidated input is parsed and used to create a new File object on line 637: {code:java} CompactionManager.java, lines 621-638: 621 public void forceUserDefinedCompaction(String dataFiles) 622 { 623 String[] filenames = dataFiles.split(","); 624 Multimap descriptors = ArrayListMultimap.create(); 625 626 for (String filename : filenames) 627 { 628 // extract keyspace and columnfamily name from filename 629 Descriptor desc = Descriptor.fromFilename(filename.trim()); 630 if (Schema.instance.getCFMetaData(desc) == null) 631 { 632 logger.warn("Schema does not exist for file {}. Skipping.", filename); 633 continue; 634 } 635 // group by keyspace/columnfamily 636 ColumnFamilyStore cfs = Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname); 637 descriptors.put(cfs, cfs.getDirectories().find(new File(filename.trim()).getName())); 638 } {code} > Path Manipulation > - > > Key: CASSANDRA-12328 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12328 > Project: Cassandra > Issue Type: Bug >Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are multiple places in the Cassandra source code where a string t
[jira] [Updated] (CASSANDRA-12328) Path Manipulation
[ https://issues.apache.org/jira/browse/CASSANDRA-12328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eduardo Aguinaga updated CASSANDRA-12328: - Reproduced In: 3.0.5 Fix Version/s: (was: 3.0.5) > Path Manipulation > - > > Key: CASSANDRA-12328 > URL: https://issues.apache.org/jira/browse/CASSANDRA-12328 > Project: Cassandra > Issue Type: Bug >Reporter: Eduardo Aguinaga > > Overview: > In May through June of 2016 a static analysis was performed on version 3.0.5 > of the Cassandra source code. The analysis included an automated analysis > using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools > Understand v4. The results of that analysis includes the issue below. > Issue: > There are several places in the Cassandra source code where a string that > determines the path of a file is not examined prior to use. Path traversal > vulnerabilities are common software security problems and failure to validate > the path prior to open/creating a file may result in operating in a directory > that is outside the intended control sphere. > Path manipulation issues were found in the following locations: > CompactionManager.java Line 637 > Descriptor.java Line 224 > MetadataSerializer.java Line 83 > The following snippet is from CompactionManager.java where unvalidated input > is parsed and used to create a new File object on line 637: > {code:java} > CompactionManager.java, lines 621-638: > 621 public void forceUserDefinedCompaction(String dataFiles) > 622 { > 623 String[] filenames = dataFiles.split(","); > 624 Multimap descriptors = > ArrayListMultimap.create(); > 625 > 626 for (String filename : filenames) > 627 { > 628 // extract keyspace and columnfamily name from filename > 629 Descriptor desc = Descriptor.fromFilename(filename.trim()); > 630 if (Schema.instance.getCFMetaData(desc) == null) > 631 { > 632 logger.warn("Schema does not exist for file {}. Skipping.", > filename); > 633 continue; > 634 } > 635 // group by keyspace/columnfamily > 636 ColumnFamilyStore cfs = > Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname); > 637 descriptors.put(cfs, cfs.getDirectories().find(new > File(filename.trim()).getName())); > 638 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)