You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2016/07/27 17:29:20 UTC

[jira] [Created] (CASSANDRA-12325) Access Specifier Manipulation

Eduardo Aguinaga created CASSANDRA-12325:
--------------------------------------------

             Summary: Access Specifier Manipulation
                 Key: CASSANDRA-12325
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-12325
             Project: Cassandra
          Issue Type: Bug
            Reporter: Eduardo Aguinaga
             Fix For: 3.0.5


Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
There are 18 instances in the Cassandra source code where setAccessible() is used to suppress Java language access checking. Static analysis automation tools, like Fortify, will log every instance of the use of setAccessible() and its use represents a possible security issue.

The use of setAccessble() can cause security problems if the Java access checking is suppressed longer than required or another approach could be taken other than suppressing access checking. This issue will list all 18 instances where setAccessible() is used and the usage of this method should be reviewed and checked to make sure it is not used inappropriately.

setAccessible() is used in the following places:
UDHelper.java Line 49
HadoopCompat.java Line 109, 113, 118, 150, 152, 154
Memory.java Line 42
GCInspector.java Line 68
Locks.java Line 33
Ref.java Line 626
FastByteOperations.java Line 150
FBUtilities.java Line 539
Hex.java Line 128
MemoryUtil.java Line 61
SyncUtil.java Line 33, 45, 57

UDHelper.java, lines 45-56:
{code:java}
45 try
46 {
47     Class<?> cls = Class.forName("com.datastax.driver.core.DataTypeClassNameParser");
48     Method m = cls.getDeclaredMethod("parseOne", String.class, ProtocolVersion.class, CodecRegistry.class);
49     m.setAccessible(true);
50     methodParseOne = MethodHandles.lookup().unreflect(m);
51     codecRegistry = new CodecRegistry();
52 }
53 catch (Exception e)
54 {
55     throw new RuntimeException(e);
56 }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)