camel-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From MrLion <...@git.apache.org>
Subject camel pull request: VERACODE-648: fix of CWE ID470 in AnnotationTypeConvert...
Date Mon, 16 Dec 2013 15:37:39 GMT
GitHub user MrLion opened a pull request:

    https://github.com/apache/camel/pull/68

    VERACODE-648: fix of CWE ID470 in AnnotationTypeConverterLoader using ObjectHelper.loadClass
for class loading

    https://issues.apache.org/jira/browse/CAMEL-7072
    
    During Veracode scan of our application we discover issue with security in Camel. Please
review our fix and apply it in future versions. 
    
    Quote from Veracode report below:
    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE
ID470)(1 flaw)
    Description
    A call uses reflection in an unsafe manner. An attacker can specify the class name to
be instantiated, which may
    create unexpected control flow paths through the application. Depending on how reflection
is being used, the attack
    vector may allow the attacker to bypass security checks or otherwise cause the application
to behave in an unexpected
    manner. Even if the object does not implement the specified interface and a ClassCastException
is thrown, the
    constructor of the user-supplied class name will have already executed.
    Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
    Recommendations
    Validate the class name against a combination of white and black lists to ensure that
only expected behavior is
    produced.
    Instances found via Static Scan
    Module # Class # Module Location Fix By Flaw Id
    .../AnnotationTypeConverterLoader.java - line 168
    


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/engagepoint/camel feature-ENT-648-12

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/camel/pull/68.patch

----
commit 8e35ff71d5455ec13e5d29b911d21f0093dfffe9
Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
Date:   2013-12-16T15:19:51Z

    VERACODE-648: fix of CWE ID470 in AnnotationTypeConverterLoader using ObjectHelper.loadClass
for class loading

----


Mime
View raw message