You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "C. Scott Andreas (JIRA)" <ji...@apache.org> on 2018/11/19 05:27:00 UTC

[jira] [Updated] (CASSANDRA-12325) Access Specifier Manipulation

     [ https://issues.apache.org/jira/browse/CASSANDRA-12325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

C. Scott Andreas updated CASSANDRA-12325:
-----------------------------------------
    Component/s: Core

> Access Specifier Manipulation
> -----------------------------
>
>                 Key: CASSANDRA-12325
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12325
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Core
>            Reporter: Eduardo Aguinaga
>            Priority: Major
>
> Overview:
> In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
> Issue:
> There are 18 instances in the Cassandra source code where setAccessible() is used to suppress Java language access checking. Static analysis automation tools, like Fortify, will log every instance of the use of setAccessible() and its use represents a possible security issue.
> The use of setAccessble() can cause security problems if the Java access checking is suppressed longer than required or another approach could be taken other than suppressing access checking. This issue will list all 18 instances where setAccessible() is used and the usage of this method should be reviewed and checked to make sure it is not used inappropriately.
> setAccessible() is used in the following places:
> UDHelper.java Line 49
> HadoopCompat.java Line 109, 113, 118, 150, 152, 154
> Memory.java Line 42
> GCInspector.java Line 68
> Locks.java Line 33
> Ref.java Line 626
> FastByteOperations.java Line 150
> FBUtilities.java Line 539
> Hex.java Line 128
> MemoryUtil.java Line 61
> SyncUtil.java Line 33, 45, 57
> UDHelper.java, lines 45-56:
> {code:java}
> 45 try
> 46 {
> 47     Class<?> cls = Class.forName("com.datastax.driver.core.DataTypeClassNameParser");
> 48     Method m = cls.getDeclaredMethod("parseOne", String.class, ProtocolVersion.class, CodecRegistry.class);
> 49     m.setAccessible(true);
> 50     methodParseOne = MethodHandles.lookup().unreflect(m);
> 51     codecRegistry = new CodecRegistry();
> 52 }
> 53 catch (Exception e)
> 54 {
> 55     throw new RuntimeException(e);
> 56 }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org