July 2016 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-611) Unintentional integer overflow in LongNameSetPermissionCollection

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-611?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas updated ELY-611: ----------------------------- Fix Version/s: 1.1.0.Beta8 > Unintentional integer overflow in LongNameSetPermissionCollection > ----------------------------------------------------------------- > > Key: ELY-611 > URL: https://issues.jboss.org/browse/ELY-611 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > There are potentially overflowing expressions in org.wildfly.security.permission.LongNameSetPermissionCollection in {{getBitsForName}} method. Expressions {{1 << nameEnumeration.size()}} and {{1 << nameEnumeration.indexOf(name)}} are evaluated as integer but assigned to {{bits}} variable which is long. It can be avoided by casting {{1}} to long. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-609) Unguarded read in ElytronPolicyConfiguration

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-609?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas updated ELY-609: ----------------------------- Fix Version/s: 1.1.0.Beta8 > Unguarded read in ElytronPolicyConfiguration > -------------------------------------------- > > Key: ELY-609 > URL: https://issues.jboss.org/browse/ELY-609 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: static_analysis > Fix For: 1.1.0.Beta8 > > > Access to fields {{uncheckedPermissions}}, {{excludedPermissions}} and {{rolePermissions}} in {{org.wildfly.security.authz.jacc.ElytronPolicyConfiguration}} is holded by lock. However lock is not used in their getter methods. Getters should be also handled by locks to avoid unguarded read of those fields. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-615) Improvement for usage of file.mkdirs() in FileSystemSecurityRealm.Identity

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-615: -------------------------------- Summary: Improvement for usage of file.mkdirs() in FileSystemSecurityRealm.Identity Key: ELY-615 URL: https://issues.jboss.org/browse/ELY-615 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta7 Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Minor There is method {{tempPath()}} in org.wildfly.security.auth.realm.FileSystemSecurityRealm.Identity which uses {{file.mkdirs()}} without checking its return value. It is bad practice to ignore return value of this method (since false means that file has not been created and it can result to any unexpected and confusing failure later). -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-614) Missing null check in equals() method of AbstractPermission

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-614: -------------------------------- Summary: Missing null check in equals() method of AbstractPermission Key: ELY-614 URL: https://issues.jboss.org/browse/ELY-614 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta7 Reporter: Ondrej Lukas Assignee: Darran Lofthouse There is missing null check in {{org.wildfly.security.permission.AbstractPermission.equals(Object obj)}} method. NPE is thrown for null {{obj}} parameter. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-613) Some nested classes should be considered to be static nested in Elytron

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-613: -------------------------------- Summary: Some nested classes should be considered to be static nested in Elytron Key: ELY-613 URL: https://issues.jboss.org/browse/ELY-613 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta7 Reporter: Ondrej Lukas Assignee: Darran Lofthouse There are some inner classes in Elytron which should be considered to be static nested to avoid dependency on their outer class. Following nested classes should be considered: * LoadedIdentity and Identity from org.wildfly.security.auth.realm.FileSystemSecurityRealm * DecoderState from org.wildfly.security.asn1.DERDecoder * AccountEntry from org.wildfly.security.auth.realm.LegacyPropertiesSecurityRealm * JaasAuthorizationIdentity and DefaultCallbackHandler from org.wildfly.security.auth.realm.JaasSecurityRealm * LoadKey from org.wildfly.security.keystore.AtomicLoadKeyStore -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-612) Missing or unnecessary null check in AbstractDigestMechanism

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-612: -------------------------------- Summary: Missing or unnecessary null check in AbstractDigestMechanism Key: ELY-612 URL: https://issues.jboss.org/browse/ELY-612 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta7 Reporter: Ondrej Lukas Assignee: Darran Lofthouse There is missing or unnecessary null check in {{getSaltedPasswordFromTwoWay}} method of org.wildfly.security.sasl.digest.AbstractDigestMechanism. {{char[] passwordChars}} is assigned on line 650 [1]. * In case when null can be assigned to {{passwordChars}} then there is missing null check before calling {{userRealmPasswordDigest(messageDigest, username, realm, passwordChars);}} on line 658 which can result to NPE. * In case when null cannot be assigned to {{passwordChars}} then there is unnecessary null check on line 659. [1] https://github.com/wildfly-security/wildfly-elytron/blob/e01a09572b02f33d... -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-611) Unintentional integer overflow in LongNameSetPermissionCollection

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-611: -------------------------------- Summary: Unintentional integer overflow in LongNameSetPermissionCollection Key: ELY-611 URL: https://issues.jboss.org/browse/ELY-611 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta7 Reporter: Ondrej Lukas Assignee: Darran Lofthouse There are potentially overflowing expressions in org.wildfly.security.permission.LongNameSetPermissionCollection in {{getBitsForName}} method. Expressions {{1 << nameEnumeration.size()}} and {{1 << nameEnumeration.indexOf(name)}} are evaluated as integer but assigned to {{bits}} variable which is long. It can be avoided by casting {{1}} to long. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-610) Missing null check in build() method of X509CertificateBuilder

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-610: -------------------------------- Summary: Missing null check in build() method of X509CertificateBuilder Key: ELY-610 URL: https://issues.jboss.org/browse/ELY-610 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta7 Reporter: Ondrej Lukas Assignee: Darran Lofthouse Calling {{ASN1.oidFromSignatureAlgorithm(String)}} in {{org.wildfly.security.x500.cert.X509CertificateBuilder.build()}} method on line 375 [1] for unknown algorithms returns null which is assigned to {{signatureAlgorithmOid}} and results to NPE thrown from {{derEncoder.encodeObjectIdentifier(signatureAlgorithmOid)}} on line 377. [1] https://github.com/wildfly-security/wildfly-elytron/blob/e01a09572b02f33d... -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-609) Unguarded read in ElytronPolicyConfiguration

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-609: -------------------------------- Summary: Unguarded read in ElytronPolicyConfiguration Key: ELY-609 URL: https://issues.jboss.org/browse/ELY-609 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta7 Reporter: Ondrej Lukas Assignee: Darran Lofthouse Access to fields {{uncheckedPermissions}}, {{excludedPermissions}} and {{rolePermissions}} in {{org.wildfly.security.authz.jacc.ElytronPolicyConfiguration}} is holded by lock. However lock is not used in their getter methods. Getters should be also handled by locks to avoid unguarded read of those fields. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-6894) Upgrade to JBoss Negotiation 3.0.3.Final

by Darran Lofthouse (JIRA)

Darran Lofthouse created WFLY-6894: -------------------------------------- Summary: Upgrade to JBoss Negotiation 3.0.3.Final Key: WFLY-6894 URL: https://issues.jboss.org/browse/WFLY-6894 Project: WildFly Issue Type: Component Upgrade Components: Security Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: 11.0.0.Alpha1 -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 4 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2016