Direct Use of Unsafe JNI [SECURITY] #hacktoberfest

[chawdamrunal]

commit : https://github.com/quelea-projection/Quelea/commit/7d8c235c4270d56389a9ccd95ad44e75c100e90a#diff-bd66c6f15a6083331abcae3625541567a83531e39bc44bd56c04c1e560a028d8

runOnVIDThread method calls a native code library at line 123 of Quelea- master/Quelea/src/main/java/org/quelea/windows/multimedia/MacVideo.java, passing it sanitisedPath as a parameter. However, this parameter is based on user input getText, which flows through the system without validation, after entering the system in getTheme at line 423 of Quelea-master/Quelea/src/main/java/org/quelea/windows/newsong/ThemeToolbar.java. This could enable an attacker to bypass security mechanisms and exploit a vulnerability in the native code.

Recommendations :

• Avoid using native libraries, if at all possible.
  • Rearchitect the application to enable required functionality to be developed using safer Java APIs, instead of native code.
  • Do not use JNI calls to an untrusted native library. Explicitly review the native code in depth for potential security flaws and incongruent developer expectations.
  • Perform data validation on all input before passing to a JNI function call, as appropriate to the specific parameter context; perform validation on any result returned by the function.
  • Implement error handling around the JNI call, to catch any exceptions that may be caused by the native code. #

[berry120]

This class is no longer in use after a refactor.