cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Ellis (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-12325) Access Specifier Manipulation
Date Wed, 27 Jul 2016 21:34:20 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-12325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jonathan Ellis updated CASSANDRA-12325:
---------------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: CASSANDRA-12334

> Access Specifier Manipulation
> -----------------------------
>
>                 Key: CASSANDRA-12325
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12325
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra
source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a
manual analysis utilizing SciTools Understand v4. The results of that analysis includes the
issue below.
> Issue:
> There are 18 instances in the Cassandra source code where setAccessible() is used to
suppress Java language access checking. Static analysis automation tools, like Fortify, will
log every instance of the use of setAccessible() and its use represents a possible security
issue.
> The use of setAccessble() can cause security problems if the Java access checking is
suppressed longer than required or another approach could be taken other than suppressing
access checking. This issue will list all 18 instances where setAccessible() is used and the
usage of this method should be reviewed and checked to make sure it is not used inappropriately.
> setAccessible() is used in the following places:
> UDHelper.java Line 49
> HadoopCompat.java Line 109, 113, 118, 150, 152, 154
> Memory.java Line 42
> GCInspector.java Line 68
> Locks.java Line 33
> Ref.java Line 626
> FastByteOperations.java Line 150
> FBUtilities.java Line 539
> Hex.java Line 128
> MemoryUtil.java Line 61
> SyncUtil.java Line 33, 45, 57
> UDHelper.java, lines 45-56:
> {code:java}
> 45 try
> 46 {
> 47     Class<?> cls = Class.forName("com.datastax.driver.core.DataTypeClassNameParser");
> 48     Method m = cls.getDeclaredMethod("parseOne", String.class, ProtocolVersion.class,
CodecRegistry.class);
> 49     m.setAccessible(true);
> 50     methodParseOne = MethodHandles.lookup().unreflect(m);
> 51     codecRegistry = new CodecRegistry();
> 52 }
> 53 catch (Exception e)
> 54 {
> 55     throw new RuntimeException(e);
> 56 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message