Return-Path: X-Original-To: apmail-camel-issues-archive@minotaur.apache.org Delivered-To: apmail-camel-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7A35D107FD for ; Tue, 17 Dec 2013 12:30:09 +0000 (UTC) Received: (qmail 35731 invoked by uid 500); 17 Dec 2013 12:30:08 -0000 Delivered-To: apmail-camel-issues-archive@camel.apache.org Received: (qmail 35649 invoked by uid 500); 17 Dec 2013 12:30:08 -0000 Mailing-List: contact issues-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@camel.apache.org Delivered-To: mailing list issues@camel.apache.org Received: (qmail 35640 invoked by uid 99); 17 Dec 2013 12:30:07 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Dec 2013 12:30:07 +0000 Date: Tue, 17 Dec 2013 12:30:07 +0000 (UTC) From: "Daniel Kulp (JIRA)" To: issues@camel.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CAMEL-7072) Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CAMEL-7072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13850399#comment-13850399 ] Daniel Kulp commented on CAMEL-7072: ------------------------------------ I kind of agree with Willem. This code pushes the call into ObjectHelper (which I'm OK with), but my expectation is that Object Helper would be flagged for the same reason. In addition, your patch throws a ClassNotFoundException which is then immediately caught and ignored in the try/catch. That seems silly. Plus, ObjectHelper already checks the name passed in to see if it's empty. > Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: CAMEL-7072 > URL: https://issues.apache.org/jira/browse/CAMEL-7072 > Project: Camel > Issue Type: Improvement > Affects Versions: 2.12.2 > Reporter: Leonid Marushevskiy > Assignee: Willem Jiang > Labels: Security, Veracode > > Pull request https://github.com/apache/camel/pull/68 > During Veracode scan of our application we discover issue with security in Camel. Please review our fix and apply it in future versions. > Quote from Veracode report below: > Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID470)(1 flaw) > Description > A call uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may > create unexpected control flow paths through the application. Depending on how reflection is being used, the attack > vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected > manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the > constructor of the user-supplied class name will have already executed. > Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix. > Recommendations > Validate the class name against a combination of white and black lists to ensure that only expected behavior is > produced. > Instances found via Static Scan > Module # Class # Module Location Fix By Flaw Id > .../AnnotationTypeConverterLoader.java - line 168 -- This message was sent by Atlassian JIRA (v6.1.4#6159)