Return-Path: X-Original-To: apmail-camel-issues-archive@minotaur.apache.org Delivered-To: apmail-camel-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CCF9410F41 for ; Wed, 18 Dec 2013 06:35:13 +0000 (UTC) Received: (qmail 63891 invoked by uid 500); 18 Dec 2013 06:35:11 -0000 Delivered-To: apmail-camel-issues-archive@camel.apache.org Received: (qmail 63860 invoked by uid 500); 18 Dec 2013 06:35:11 -0000 Mailing-List: contact issues-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@camel.apache.org Delivered-To: mailing list issues@camel.apache.org Received: (qmail 63831 invoked by uid 99); 18 Dec 2013 06:35:09 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Dec 2013 06:35:09 +0000 Date: Wed, 18 Dec 2013 06:35:09 +0000 (UTC) From: "Willem Jiang (JIRA)" To: issues@camel.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (CAMEL-7072) Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CAMEL-7072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Willem Jiang resolved CAMEL-7072. --------------------------------- Resolution: Fixed Fix Version/s: 2.13.0 2.12.3 2.11.3 Applied the patch into master, camel-2.12.x and camel-2.11.x branches with thanks to Leonid. > Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: CAMEL-7072 > URL: https://issues.apache.org/jira/browse/CAMEL-7072 > Project: Camel > Issue Type: Improvement > Affects Versions: 2.12.2 > Reporter: Leonid Marushevskiy > Assignee: Willem Jiang > Priority: Minor > Labels: Security, Veracode > Fix For: 2.11.3, 2.12.3, 2.13.0 > > > Pull request https://github.com/apache/camel/pull/68 > During Veracode scan of our application we discover issue with security in Camel. Please review our fix and apply it in future versions. > Quote from Veracode report below: > Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID470)(1 flaw) > Description > A call uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may > create unexpected control flow paths through the application. Depending on how reflection is being used, the attack > vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected > manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the > constructor of the user-supplied class name will have already executed. > Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix. > Recommendations > Validate the class name against a combination of white and black lists to ensure that only expected behavior is > produced. > Instances found via Static Scan > Module # Class # Module Location Fix By Flaw Id > .../AnnotationTypeConverterLoader.java - line 168 -- This message was sent by Atlassian JIRA (v6.1.4#6159)