Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SonarQube report contains security vulnerabilities #551

Open
ghostGuiggs opened this issue Nov 2, 2022 · 1 comment
Open

SonarQube report contains security vulnerabilities #551

ghostGuiggs opened this issue Nov 2, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@ghostGuiggs
Copy link

Hi,

My team forked this repository and while running it through SonarQube it detected 2 Security related vulnerabilities.
See the below screenshots :
image
image
image

We humbly welcome any suggestions on how to tackle those defects.

@ghostGuiggs ghostGuiggs added the bug Something isn't working label Nov 2, 2022
@miller45
Copy link

miller45 commented Mar 20, 2023

If you want to fix it on your fork: SonarCube is complaining because a class is instantiated via a plain string (34).
Though the code in line 61 throws an exception if the class is not "known", it is still possible to instantiate random classes, that could have static initialization blocks with harmful code.
The code could be rewritten with classic "precompiled" class instantiation.
My idea would be to remove line 37 and then replace each case statement with this for example (replace line 39-42:

  case ACCESS_CONTROL_DEFAULT_CLASS:
          return new SimpleAclsProvider(builderAdminClient);

and do the same for CONFLUENT_CLOUD_CONTROL_CLASS,CONFLUENT_HYBRID_CLOUD_CONTROL_CLASS and RBAC_ACCESS_CONTROL_CLASS.

In the meantime you can make sure that no one can access you julip-ops properties file and insert his malicious class name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants