You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@camel.apache.org by "Willem Jiang (JIRA)" <ji...@apache.org> on 2013/12/18 07:35:09 UTC

[jira] [Resolved] (CAMEL-7072) Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader

     [ https://issues.apache.org/jira/browse/CAMEL-7072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Willem Jiang resolved CAMEL-7072.
---------------------------------

       Resolution: Fixed
    Fix Version/s: 2.13.0
                   2.12.3
                   2.11.3

Applied the patch into master, camel-2.12.x and camel-2.11.x branches with thanks to Leonid.

> Veracode compliance. Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470) in AnnotationTypeConverterLoader
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-7072
>                 URL: https://issues.apache.org/jira/browse/CAMEL-7072
>             Project: Camel
>          Issue Type: Improvement
>    Affects Versions: 2.12.2
>            Reporter: Leonid Marushevskiy
>            Assignee: Willem Jiang
>            Priority: Minor
>              Labels: Security, Veracode
>             Fix For: 2.11.3, 2.12.3, 2.13.0
>
>
> Pull request https://github.com/apache/camel/pull/68
> During Veracode scan of our application we discover issue with security in Camel. Please review our fix and apply it in future versions. 
> Quote from Veracode report below:
> Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID470)(1 flaw)
> Description
> A call uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may
> create unexpected control flow paths through the application. Depending on how reflection is being used, the attack
> vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected
> manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the
> constructor of the user-supplied class name will have already executed.
> Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
> Recommendations
> Validate the class name against a combination of white and black lists to ensure that only expected behavior is
> produced.
> Instances found via Static Scan
> Module # Class # Module Location Fix By Flaw Id
> .../AnnotationTypeConverterLoader.java - line 168



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)