commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LANG-1079) BUG -Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') ClassUtils
Date Sun, 28 Dec 2014 03:39:13 GMT

    [ https://issues.apache.org/jira/browse/LANG-1079?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14259558#comment-14259558
] 

Sebb commented on LANG-1079:
----------------------------

The report appears to be complaining about the method
{{Class<?> org.apache.commons.lang3.ClassUtils.getClass(ClassLoader classLoader, String
className, boolean initialize)}}
which calls {{Class.forName}}.

I agree that it is the caller's job to ensure that the appropriate class name is used -- just
as it is when calling {{Class.forName}} directly.

I agree - close as invalid.


> BUG -Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
 ClassUtils
> ---------------------------------------------------------------------------------------------------
>
>                 Key: LANG-1079
>                 URL: https://issues.apache.org/jira/browse/LANG-1079
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.x
>            Reporter: David Camilo Espitia Manrique
>            Priority: Minor
>             Fix For: 3.x
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> we are currently using "commons-lang3-3.0" and in the analysis of veracode found this
bug in "ClassUtils line 792":
> Description:
> A call uses reflection in an unsafe manner. An attacker can specify the class name to
be instantiated, which may
> create unexpected control flow paths through the application. Depending on how reflection
is being used, the attack
> vector may allow the attacker to bypass security checks or otherwise cause the application
to behave in an unexpected
> manner. Even if the object does not implement the specified interface and a ClassCastException
is thrown, the
> constructor of the user-supplied class name will have already executed.
> Recommendations:
> Validate the class name against a combination of white and black lists to ensure that
only expected behavior is
> produced.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message