[JBoss JIRA] (ELY-919) Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory

Friday, 3 February 2017

     [
https://issues.jboss.org/browse/ELY-919?page=com.atlassian.jira.plugin.sy...
]

Ilia Vassilev moved WFLY-7953 to ELY-919:
-----------------------------------------

              Project: WildFly Elytron  (was: WildFly)
                  Key: ELY-919  (was: WFLY-7953)
          Component/s: HTTP
                           (was: Security)
    Affects Version/s: 1.1.0.Beta21
                           (was: 11.0.0.Alpha1)

...
 Coverity: default platform encoding used in
DefaultSingleSignOnSessionFactory
 -----------------------------------------------------------------------------

                 Key: ELY-919
                 URL: https://issues.jboss.org/browse/ELY-919
             Project: WildFly Elytron
          Issue Type: Bug
          Components: HTTP
    Affects Versions: 1.1.0.Beta21
            Reporter: Martin Choma
            Assignee: Ilia Vassilev
            Priority: Critical

 Coverity static-analysis scan found a String to byte conversion (4xoccurences of
{{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory
method.
 Following code
 {code:java|title=DefaultSingleSignOnSessionFactory.java}
     @Override
     public String createLogoutParameter(String sessionId) {
         try {
             Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
             signature.initSign(this.privateKey);
             Base64.Encoder urlEncoder = Base64.getUrlEncoder();
             return sessionId + "." +
ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
         } catch (NoSuchAlgorithmException | InvalidKeyException e) {
             throw new IllegalStateException(e);
         }
     }

     @Override
     public String verifyLogoutParameter(String parameter) {
         String[] parts = parameter.split("\\.");
         if (parts.length != 2) {
             throw new IllegalArgumentException(parameter);
         }
         try {
             String localSessionId =
ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
             Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
             signature.initVerify(this.certificate);
             signature.update(localSessionId.getBytes());
             Base64.Decoder urlDecoder = Base64.getUrlDecoder();
             if
(!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
                 throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
             }
             return localSessionId;
         } catch (NoSuchAlgorithmException | InvalidKeyException e) {
             throw new IllegalStateException(e);
         } catch (SignatureException e) {
             throw new IllegalArgumentException(parameter, e);
         }
     }
 {code}                                                                                   

 The encoding should be specified as argument.
 Setting with high priority, because once default platform encoding UTF-16 will be set,
funcionality  do not need to work as intended. Especially when combined with
{{asUtf8String()}}, which implies specifying default encoding UTF-8.

https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=86758...

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006