Fortify flagged some things in Accumulo (mostly against 1.7 and 1.8). Actually, it flagged a lot of things, but there were a few that I noticed which are minor but wouldn't hurt for us to fix.
- The JarFile in Jar.java is never closed
- BoundedRangeFileInputStream invokes a PrivilegedAction for some reason I can't fathom (been this way since code import – I think it can be removed).
- Numeric validate on the refresh cookie in the monitor
- Use HttpOnly on the cookies we create to mark that we only expect them to be accessed by the browser
- We put the request URI back into the page body in DefautlServlet if we can't load the requested element (putting user-controlled info in a http response – generally bad news). We can just trim the data we write to the browser and log it instead.