You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Pascal Schumacher (JIRA)" <ji...@apache.org> on 2016/10/19 15:24:58 UTC
[jira] [Closed] (LANG-1079) BUG -Use of Externally-Controlled Input
to Select Classes or Code ('Unsafe Reflection') ClassUtils
[ https://issues.apache.org/jira/browse/LANG-1079?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pascal Schumacher closed LANG-1079.
-----------------------------------
> BUG -Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') ClassUtils
> ---------------------------------------------------------------------------------------------------
>
> Key: LANG-1079
> URL: https://issues.apache.org/jira/browse/LANG-1079
> Project: Commons Lang
> Issue Type: Bug
> Components: lang.*
> Affects Versions: 3.x
> Reporter: David Camilo Espitia Manrique
> Priority: Minor
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> we are currently using "commons-lang3-3.0" and in the analysis of veracode found this bug in "ClassUtils line 792":
> Description:
> A call uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may
> create unexpected control flow paths through the application. Depending on how reflection is being used, the attack
> vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected
> manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the
> constructor of the user-supplied class name will have already executed.
> Recommendations:
> Validate the class name against a combination of white and black lists to ensure that only expected behavior is
> produced.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)