[CASSANDRA-12307] Command Injection - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Convert to Issue

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Urgent
Resolution: Duplicate
Fix Version/s: None
Component/s: None
Labels:
None

Description

Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

Issue:
Two commands, archiveCommand and restoreCommand, are stored as string properties and retrieved on lines 91 and 92 of CommitLogArchiver.java. The only processing performed on the command strings is that tokens are replaced by data available at runtime.

A malicious command could be entered into the system by storing the malicious command in place of the valid archiveCommand or restoreCommand. The malicious command would then be executed on line 265 within the exec method.

Any commands that are stored and retrieved should be verified prior to execution. Assuming that the command is safe because it is stored as a local property invites security issues.

CommitLogArchiver.java, lines 91-92:
91 String archiveCommand = commitlog_commands.getProperty("archive_command");
92 String restoreCommand = commitlog_commands.getProperty("restore_command");

CommitLogArchiver.java, lines 129-144:
129 public void maybeArchive(final CommitLogSegment segment)
130 {
131     if (Strings.isNullOrEmpty(archiveCommand))
132         return;
133 
134     archivePending.put(segment.getName(), executor.submit(new WrappedRunnable()
135     {
136         protected void runMayThrow() throws IOException
137         {
138             segment.waitForFinalSync();
139             String command = archiveCommand.replace(""%name"", segment.getName());
140             command = command.replace(""%path"", segment.getPath());
141             exec(command);
142         }
143     }));
144 }

CommitLogArchiver.java, lines 152-166:
152 public void maybeArchive(final String path, final String name)
153 {
154     if (Strings.isNullOrEmpty(archiveCommand))
155         return;
156 
157     archivePending.put(name, executor.submit(new WrappedRunnable()
158     {
159         protected void runMayThrow() throws IOException
160         {
161             String command = archiveCommand.replace("%name", name);
162             command = command.replace("%path", path);
163             exec(command);
164         }
165     }));
166 }

CommitLogArchiver.java, lines 261-266:
261 private void exec(String command) throws IOException
262 {
263     ProcessBuilder pb = new ProcessBuilder(command.split(" "));
264     pb.redirectErrorStream(true);
265     FBUtilities.exec(pb);
266 }

Attachments

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Unassigned Assign to me

Reporter:: Eduardo Aguinaga

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 26/Jul/16 17:50

Updated:: 16/Apr/19 09:30

Resolved:: 30/Aug/16 11:28

Agile

View on Board

Command Injection

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment