You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2016/08/29 11:34:21 UTC

[jira] [Updated] (CASSANDRA-12307) Command Injection

     [ https://issues.apache.org/jira/browse/CASSANDRA-12307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Eduardo Aguinaga updated CASSANDRA-12307:
-----------------------------------------
    Description: 
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
Two commands, archiveCommand and restoreCommand, are stored as string properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The only processing performed on the command strings is that tokens are replaced by data available at runtime. 

A malicious command could be entered into the system by storing the malicious command in place of the valid archiveCommand or restoreCommand. The malicious command would then be executed on line 265 within the exec method.

Any commands that are stored and retrieved should be verified prior to execution. Assuming that the command is safe because it is stored as a local property invites security issues.
{code:java}
CommitLogArchiver.java, lines 91-92:
91 String archiveCommand = commitlog_commands.getProperty("archive_command");
92 String restoreCommand = commitlog_commands.getProperty("restore_command");

CommitLogArchiver.java, lines 261-266:
261 private void exec(String command) throws IOException
262 {
263     ProcessBuilder pb = new ProcessBuilder(command.split(" "));
264     pb.redirectErrorStream(true);
265     FBUtilities.exec(pb);
266 }

CommitLogArchiver.java, lines 129-144:
129 public void maybeArchive(final CommitLogSegment segment)
130 {
131     if (Strings.isNullOrEmpty(archiveCommand))
132         return;
133 
134     archivePending.put(segment.getName(), executor.submit(new WrappedRunnable()
135     {
136         protected void runMayThrow() throws IOException
137         {
138             segment.waitForFinalSync();
139             String command = archiveCommand.replace(""%name"", segment.getName());
140             command = command.replace(""%path"", segment.getPath());
141             exec(command);
142         }
143     }));
144 }

CommitLogArchiver.java, lines 152-166:
152 public void maybeArchive(final String path, final String name)
153 {
154     if (Strings.isNullOrEmpty(archiveCommand))
155         return;
156 
157     archivePending.put(name, executor.submit(new WrappedRunnable()
158     {
159         protected void runMayThrow() throws IOException
160         {
161             String command = archiveCommand.replace("%name", name);
162             command = command.replace("%path", path);
163             exec(command);
164         }
165     }));
166 }
{code}

  was:
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
Two commands, archiveCommand and restoreCommand, are stored as string properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The only processing performed on the command strings is that tokens are replaced by data available at runtime. 

A malicious command could be entered into the system by storing the malicious command in place of the valid archiveCommand or restoreCommand. The malicious command would then be executed on line 265 within the exec method.

Any commands that are stored and retrieved should be verified prior to execution. Assuming that the command is safe because it is stored as a local property invites security issues.
{code:java}
CommitLogArchiver.java, lines 91-92:
91 String archiveCommand = commitlog_commands.getProperty("archive_command");
92 String restoreCommand = commitlog_commands.getProperty("restore_command");

CommitLogArchiver.java, lines 261-266:
261 private void exec(String command) throws IOException
262 {
263     ProcessBuilder pb = new ProcessBuilder(command.split(" "));
264     pb.redirectErrorStream(true);
265     FBUtilities.exec(pb);
266 }

CommitLogArchiver.java, lines 152-166:
152 public void maybeArchive(final String path, final String name)
153 {
154     if (Strings.isNullOrEmpty(archiveCommand))
155         return;
156 
157     archivePending.put(name, executor.submit(new WrappedRunnable()
158     {
159         protected void runMayThrow() throws IOException
160         {
161             String command = archiveCommand.replace("%name", name);
162             command = command.replace("%path", path);
163             exec(command);
164         }
165     }));
166 }
{code}


> Command Injection
> -----------------
>
>                 Key: CASSANDRA-12307
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12307
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Eduardo Aguinaga
>            Priority: Critical
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
> Issue:
> Two commands, archiveCommand and restoreCommand, are stored as string properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The only processing performed on the command strings is that tokens are replaced by data available at runtime. 
> A malicious command could be entered into the system by storing the malicious command in place of the valid archiveCommand or restoreCommand. The malicious command would then be executed on line 265 within the exec method.
> Any commands that are stored and retrieved should be verified prior to execution. Assuming that the command is safe because it is stored as a local property invites security issues.
> {code:java}
> CommitLogArchiver.java, lines 91-92:
> 91 String archiveCommand = commitlog_commands.getProperty("archive_command");
> 92 String restoreCommand = commitlog_commands.getProperty("restore_command");
> CommitLogArchiver.java, lines 261-266:
> 261 private void exec(String command) throws IOException
> 262 {
> 263     ProcessBuilder pb = new ProcessBuilder(command.split(" "));
> 264     pb.redirectErrorStream(true);
> 265     FBUtilities.exec(pb);
> 266 }
> CommitLogArchiver.java, lines 129-144:
> 129 public void maybeArchive(final CommitLogSegment segment)
> 130 {
> 131     if (Strings.isNullOrEmpty(archiveCommand))
> 132         return;
> 133 
> 134     archivePending.put(segment.getName(), executor.submit(new WrappedRunnable()
> 135     {
> 136         protected void runMayThrow() throws IOException
> 137         {
> 138             segment.waitForFinalSync();
> 139             String command = archiveCommand.replace(""%name"", segment.getName());
> 140             command = command.replace(""%path"", segment.getPath());
> 141             exec(command);
> 142         }
> 143     }));
> 144 }
> CommitLogArchiver.java, lines 152-166:
> 152 public void maybeArchive(final String path, final String name)
> 153 {
> 154     if (Strings.isNullOrEmpty(archiveCommand))
> 155         return;
> 156 
> 157     archivePending.put(name, executor.submit(new WrappedRunnable()
> 158     {
> 159         protected void runMayThrow() throws IOException
> 160         {
> 161             String command = archiveCommand.replace("%name", name);
> 162             command = command.replace("%path", path);
> 163             exec(command);
> 164         }
> 165     }));
> 166 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)