Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-12334 HP Fortify Analysis
  3. CASSANDRA-12328

Path Manipulation

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • Local/Compaction
    • None

    Description

      Overview:
      In May through June of 2016 a static analysis was performed on version 3.0.5 of the Cassandra source code. The analysis included an automated analysis using HP Fortify v4.21 SCA and a manual analysis utilizing SciTools Understand v4. The results of that analysis includes the issue below.

      Issue:
      There are multiple places in the Cassandra source code where a string that determines the path of a file is not examined prior to use. Path traversal vulnerabilities are common software security problems and failure to validate the path prior to open/creating a file may result in operating in a directory that is outside the intended control sphere.

      Path manipulation issues were found in the following locations:
      CompactionManager.java Line 637
      Descriptor.java Line 224
      MetadataSerializer.java Line 83, 153
      CommitLog.java Line 199
      LogTransaction.java Line 311
      WindowsFailedSnapshotTracker.java Line 51, 55, 60, 78, 84, 95
      LegacyMetadataSerializer.java Line 84
      FileUtils.java Line 116, 172, 354, 368, 386, 437
      RewindableDataInputStreamPlus.java Line 226
      CassandraDaemon.java Line 557
      NodeTool.java Line 261
      CustomClassLoader.java Line 77
      CoalescingStrategies.java Line 54, 150
      FBUtilities.java Line 309, 748

      The following snippet is from CompactionManager.java where unvalidated input is parsed and used to create a new File object on line 637:

      CompactionManager.java, lines 621-638:
621 public void forceUserDefinedCompaction(String dataFiles)
622 {
623     String[] filenames = dataFiles.split(",");
624     Multimap<ColumnFamilyStore, Descriptor> descriptors = ArrayListMultimap.create();
625 
626     for (String filename : filenames)
627     {
628         // extract keyspace and columnfamily name from filename
629         Descriptor desc = Descriptor.fromFilename(filename.trim());
630         if (Schema.instance.getCFMetaData(desc) == null)
631         {
632             logger.warn("Schema does not exist for file {}. Skipping.", filename);
633             continue;
634         }
635         // group by keyspace/columnfamily
636         ColumnFamilyStore cfs = Keyspace.open(desc.ksname).getColumnFamilyStore(desc.cfname);
637         descriptors.put(cfs, cfs.getDirectories().find(new File(filename.trim()).getName()));
638     }

      Attachments

        Activity

          People

            Unassigned Unassigned
            EdAInWestOC Eduardo Aguinaga
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: