SonarQube report contains security vulnerabilities

Question

SonarQube report contains security vulnerabilities

ghostGuiggs opened this issue 2 years ago · 1 comments

Hi,

My team forked this repository and while running it through SonarQube it detected 2 Security related vulnerabilities.
See the below screenshots :

We humbly welcome any suggestions on how to tackle those defects.

Answer 1 · 2023-03-20T17:58:16.000Z

If you want to fix it on your fork: SonarCube is complaining because a class is instantiated via a plain string (34).
Though the code in line 61 throws an exception if the class is not "known", it is still possible to instantiate random classes, that could have static initialization blocks with harmful code.
The code could be rewritten with classic "precompiled" class instantiation.
My idea would be to remove line 37 and then replace each case statement with this for example (replace line 39-42:

  case ACCESS_CONTROL_DEFAULT_CLASS:
          return new SimpleAclsProvider(builderAdminClient);

and do the same for CONFLUENT_CLOUD_CONTROL_CLASS,CONFLUENT_HYBRID_CLOUD_CONTROL_CLASS and RBAC_ACCESS_CONTROL_CLASS.

In the meantime you can make sure that no one can access you julip-ops properties file and insert his malicious class name.