camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Willem Jiang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CAMEL-7072) Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader
Date Tue, 17 Dec 2013 09:33:10 GMT

    [ https://issues.apache.org/jira/browse/CAMEL-7072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13850289#comment-13850289
] 

Willem Jiang commented on CAMEL-7072:
-------------------------------------

I don't think the patch fix the really issue, it just work around the warning of Veracode
report.
BTW, there are few places in the camel that use the class loader to load the class that way.
I'm not sure why the code scanner just found this place.

> Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe
Reflection') (CWE ID 470) in AnnotationTypeConverterLoader
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-7072
>                 URL: https://issues.apache.org/jira/browse/CAMEL-7072
>             Project: Camel
>          Issue Type: Improvement
>    Affects Versions: 2.12.2
>            Reporter: Leonid Marushevskiy
>            Assignee: Willem Jiang
>              Labels: Security, Veracode
>
> Pull request https://github.com/apache/camel/pull/68
> During Veracode scan of our application we discover issue with security in Camel. Please
review our fix and apply it in future versions. 
> Quote from Veracode report below:
> Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE
ID470)(1 flaw)
> Description
> A call uses reflection in an unsafe manner. An attacker can specify the class name to
be instantiated, which may
> create unexpected control flow paths through the application. Depending on how reflection
is being used, the attack
> vector may allow the attacker to bypass security checks or otherwise cause the application
to behave in an unexpected
> manner. Even if the object does not implement the specified interface and a ClassCastException
is thrown, the
> constructor of the user-supplied class name will have already executed.
> Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to
fix.
> Recommendations
> Validate the class name against a combination of white and black lists to ensure that
only expected behavior is
> produced.
> Instances found via Static Scan
> Module # Class # Module Location Fix By Flaw Id
> .../AnnotationTypeConverterLoader.java - line 168



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message