Details
-
Sub-task
-
Status: Open
-
Normal
-
Resolution: Unresolved
-
None
-
None
Description
Overview:
In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.
Issue:
There are multiple places in the Cassandra source code where a string that determines the path of a file is not examined prior to use. Path traversal vulnerabilities are common software security problems and failure to validate the path prior to open/creating a file may result in operating in a directory that is outside the intended control sphere.
Path manipulation issues were found in the following locations:
CompactionManager.java Line 637
Descriptor.java Line 224
MetadataSerializer.java Line 83, 153
CommitLog.java Line 199
LogTransaction.java Line 311
WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95
LegacyMetadataSerializer.java Line 84
FileUtils.java Line 116, 172, 354, 368, 386, 437
RewindableDataInputStreamPlus.java Line 226
CassandraDaemon.java Line 557
NodeTool.java Line 261
CustomClassLoader.java Line 77
CoalescingStrategies.java Line 54, 150
FBUtilities.java Line 309, 748
The following snippet is from CompactionManager.java where unvalidated input is parsed and used to create a new File object on line 637:
CompactionManager.java, lines 621-638: 621 public void forceUserDefinedCompaction(String dataFiles) 622 { 623 String[] filenames = dataFiles.split(","); 624 Multimap<ColumnFamilyStore, Descriptor> descriptors = ArrayListMultimap.create(); 625 626 for (String filename : filenames) 627 { 628 // extract keyspace and columnfamily name from filename 629 Descriptor desc = Descriptor.fromFilename(filename.trim()); 630 if (Schema.instance.getCFMetaData(desc) == null) 631 { 632 logger.warn("Schema does not exist for file {}. Skipping.", filename); 633 continue; 634 } 635 // group by keyspace/columnfamily 636 ColumnFamilyStore cfs = Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname); 637 descriptors.put(cfs, cfs.getDirectories().find(new File(filename.trim()).getName())); 638 }