January 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-7967) Coverity: Incorrect definition of RawKey as a parent of Serializable classes

by Martin Choma (JIRA)

Martin Choma created WFLY-7967: ---------------------------------- Summary: Coverity: Incorrect definition of RawKey as a parent of Serializable classes Key: WFLY-7967 URL: https://issues.jboss.org/browse/WFLY-7967 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse There are some Serializable classes, which extends from RawKey, which is not Serializable. * RawRSAPrivateKey * RawDHPrivateKey * RawPBEKey * RawECPrivateKey * RawDSAPrivateKey Either mark RawKey as Serializable as well or if this is not desired, provide no-args constructor in RawKey class, as javadoc describes: During deserialization, the fields of non-serializable classes will be initialized using the public or protected no-arg constructor of the class. A no-arg constructor must be accessible to the subclass that is serializable. The fields of serializable subclasses will be restored from the stream. [1] [1] http://docs.oracle.com/javase/8/docs/api/java/io/Serializable.html https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85539... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7966) Coverity static analysis: Suspicious integer expression in BSDUnixDESCryptPasswordImpl (Elytron)

by Martin Choma (JIRA)

Martin Choma created WFLY-7966: ---------------------------------- Summary: Coverity static analysis: Suspicious integer expression in BSDUnixDESCryptPasswordImpl (Elytron) Key: WFLY-7966 URL: https://issues.jboss.org/browse/WFLY-7966 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Seems {{if}} statement will never be {{true}}, because invKeyPerm is of type byte[]. And permitted values for byte are -128...127. {code:java|title=BSDUnixDESCryptPasswordImpl.java} outBit = invKeyPerm[inBit]; if (outBit == 255) { continue; } {code} https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85538... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7966) Coverity static analysis: Suspicious integer expression in BSDUnixDESCryptPasswordImpl (Elytron)

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7966?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-7966: ------------------------------- Affects Version/s: 11.0.0.Alpha1 > Coverity static analysis: Suspicious integer expression in BSDUnixDESCryptPasswordImpl (Elytron) > ------------------------------------------------------------------------------------------------ > > Key: WFLY-7966 > URL: https://issues.jboss.org/browse/WFLY-7966 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Darran Lofthouse > > Seems {{if}} statement will never be {{true}}, because invKeyPerm is of type byte[]. And permitted values for byte are -128...127. > {code:java|title=BSDUnixDESCryptPasswordImpl.java} > outBit = invKeyPerm[inBit]; > if (outBit == 255) { > continue; > } > {code} > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85538... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7966) Coverity static analysis: Suspicious integer expression in BSDUnixDESCryptPasswordImpl (Elytron)

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7966?page=com.atlassian.jira.plugin.... ] Martin Choma reassigned WFLY-7966: ---------------------------------- Assignee: Ilia Vassilev (was: Darran Lofthouse) > Coverity static analysis: Suspicious integer expression in BSDUnixDESCryptPasswordImpl (Elytron) > ------------------------------------------------------------------------------------------------ > > Key: WFLY-7966 > URL: https://issues.jboss.org/browse/WFLY-7966 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Ilia Vassilev > > Seems {{if}} statement will never be {{true}}, because invKeyPerm is of type byte[]. And permitted values for byte are -128...127. > {code:java|title=BSDUnixDESCryptPasswordImpl.java} > outBit = invKeyPerm[inBit]; > if (outBit == 255) { > continue; > } > {code} > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85538... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7965) Coverity static analysis: Dereference null return value in ServerAuthenticationContext (Elytron)

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7965?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-7965: ------------------------------- Affects Version/s: 11.0.0.Alpha1 > Coverity static analysis: Dereference null return value in ServerAuthenticationContext (Elytron) > ------------------------------------------------------------------------------------------------ > > Key: WFLY-7965 > URL: https://issues.jboss.org/browse/WFLY-7965 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Darran Lofthouse > > Coverity static-analysis scan found possible dereference null return value in following code > {code:java|title=ServerAuthenticationContext.java} > if (log.isTraceEnabled()) { > log.tracef("Authorizing principal %s.", authenticationPrincipal.getName()); > log.tracef("Authorizing against the following attributes: %s => %s", > authorizationIdentity.getAttributes().keySet(), authorizationIdentity.getAttributes().values()); > } > {code} > Coverity suppose null value could get here via {{AggregateSecurityRealm.Identity.getAuthorizationIdentity}} calling {{TokenSecurityRealm.TokenRealmIdentity.getAuthorizationIdentity}} > {code:java|title=TokenRealmIdentity.java} > @Override > public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException { > if (exists()) { > return new AuthorizationIdentity() { > @Override > public Attributes getAttributes() { > return claims; > } > }; > } > return null; > } > {code} > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85537... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7965) Coverity static analysis: Dereference null return value in ServerAuthenticationContext (Elytron)

by Martin Choma (JIRA)

Martin Choma created WFLY-7965: ---------------------------------- Summary: Coverity static analysis: Dereference null return value in ServerAuthenticationContext (Elytron) Key: WFLY-7965 URL: https://issues.jboss.org/browse/WFLY-7965 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Coverity static-analysis scan found possible dereference null return value in following code {code:java|title=ServerAuthenticationContext.java} if (log.isTraceEnabled()) { log.tracef("Authorizing principal %s.", authenticationPrincipal.getName()); log.tracef("Authorizing against the following attributes: %s => %s", authorizationIdentity.getAttributes().keySet(), authorizationIdentity.getAttributes().values()); } {code} Coverity suppose null value could get here via {{AggregateSecurityRealm.Identity.getAuthorizationIdentity}} calling {{TokenSecurityRealm.TokenRealmIdentity.getAuthorizationIdentity}} {code:java|title=TokenRealmIdentity.java} @Override public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException { if (exists()) { return new AuthorizationIdentity() { @Override public Attributes getAttributes() { return claims; } }; } return null; } {code} https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85537... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7961) Coverity static analysis: Serializable *Callback classes containes non-serializable fields

by Ilia Vassilev (JIRA)

[ https://issues.jboss.org/browse/WFLY-7961?page=com.atlassian.jira.plugin.... ] Ilia Vassilev reassigned WFLY-7961: ----------------------------------- Assignee: Ilia Vassilev (was: Darran Lofthouse) > Coverity static analysis: Serializable *Callback classes containes non-serializable fields > ------------------------------------------------------------------------------------------ > > Key: WFLY-7961 > URL: https://issues.jboss.org/browse/WFLY-7961 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Ilia Vassilev > > Coverity static analysis found, there is couple of *Callback classes, which are mark as Serializable, and contains non-serializable fields. > * CredentialCallback > * CredentialUpdateCallback > * MechanismInformationCallback > * SSLCallback > * SecurityIdentityCallback > * ServerCredentialCallback > * TrustedAuthoritiesCallback > Either mark fields as transient or Serializable. > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=84905... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7964) Coverity static analysis: Resource leak in LdapSecurityRealm (Elytron)

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7964?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-7964: ------------------------------- Affects Version/s: 11.0.0.Alpha1 > Coverity static analysis: Resource leak in LdapSecurityRealm (Elytron) > ---------------------------------------------------------------------- > > Key: WFLY-7964 > URL: https://issues.jboss.org/browse/WFLY-7964 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Darran Lofthouse > Priority: Critical > > Coverity static-analysis scan found resource leak in LdapSecurityRealm.getIdentity(). > It has to be in try-with-resources, because Stream<LdapIdentity> has registered close handler, where NamingEnumeration.close() is called. Looking into one possible implementation http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u... It would be safer to call close() explicitelly. > However chained stream statement is used in try, which cause 2 Stream objects to be created. But only one of them is closed. Stream created by ldapSearch.search(context) (with exlicitely registered close handler) is not closed. > {code:java|title=LdapSecurityRealm.java} > try ( > Stream<LdapIdentity> identityStream = ldapSearch.search(context) > .map(result -> new LdapIdentity(result.getNameInNamespace())) > ) { > LdapIdentity identity = identityStream.findFirst().orElse(null); > {code} > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85538... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7964) Coverity static analysis: Resource leak in LdapSecurityRealm (Elytron)

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-7964?page=com.atlassian.jira.plugin.... ] Martin Choma reassigned WFLY-7964: ---------------------------------- Assignee: Ilia Vassilev (was: Darran Lofthouse) > Coverity static analysis: Resource leak in LdapSecurityRealm (Elytron) > ---------------------------------------------------------------------- > > Key: WFLY-7964 > URL: https://issues.jboss.org/browse/WFLY-7964 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Martin Choma > Assignee: Ilia Vassilev > Priority: Critical > > Coverity static-analysis scan found resource leak in LdapSecurityRealm.getIdentity(). > It has to be in try-with-resources, because Stream<LdapIdentity> has registered close handler, where NamingEnumeration.close() is called. Looking into one possible implementation http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u... It would be safer to call close() explicitelly. > However chained stream statement is used in try, which cause 2 Stream objects to be created. But only one of them is closed. Stream created by ldapSearch.search(context) (with exlicitely registered close handler) is not closed. > {code:java|title=LdapSecurityRealm.java} > try ( > Stream<LdapIdentity> identityStream = ldapSearch.search(context) > .map(result -> new LdapIdentity(result.getNameInNamespace())) > ) { > LdapIdentity identity = identityStream.findFirst().orElse(null); > {code} > https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85538... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7964) Coverity static analysis: Resource leak in LdapSecurityRealm (Elytron)

by Martin Choma (JIRA)

Martin Choma created WFLY-7964: ---------------------------------- Summary: Coverity static analysis: Resource leak in LdapSecurityRealm (Elytron) Key: WFLY-7964 URL: https://issues.jboss.org/browse/WFLY-7964 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Critical Coverity static-analysis scan found resource leak in LdapSecurityRealm.getIdentity(). It has to be in try-with-resources, because Stream<LdapIdentity> has registered close handler, where NamingEnumeration.close() is called. Looking into one possible implementation http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u... It would be safer to call close() explicitelly. However chained stream statement is used in try, which cause 2 Stream objects to be created. But only one of them is closed. Stream created by ldapSearch.search(context) (with exlicitely registered close handler) is not closed. {code:java|title=LdapSecurityRealm.java} try ( Stream<LdapIdentity> identityStream = ldapSearch.search(context) .map(result -> new LdapIdentity(result.getNameInNamespace())) ) { LdapIdentity identity = identityStream.findFirst().orElse(null); {code} https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=85538... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2017