[jboss-jira] [JBoss JIRA] (ELY-919) Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
Darran Lofthouse (JIRA)
issues at jboss.org
Tue Feb 7 11:23:01 EST 2017
[ https://issues.jboss.org/browse/ELY-919?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse updated ELY-919:
---------------------------------
Fix Version/s: 1.1.0.Beta23
> Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
> -----------------------------------------------------------------------------
>
> Key: ELY-919
> URL: https://issues.jboss.org/browse/ELY-919
> Project: WildFly Elytron
> Issue Type: Bug
> Components: HTTP
> Affects Versions: 1.1.0.Beta21
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Priority: Critical
> Fix For: 1.1.0.Beta23
>
>
> Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
> Following code
> {code:java|title=DefaultSingleSignOnSessionFactory.java}
> @Override
> public String createLogoutParameter(String sessionId) {
> try {
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initSign(this.privateKey);
> Base64.Encoder urlEncoder = Base64.getUrlEncoder();
> return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> }
> }
>
> @Override
> public String verifyLogoutParameter(String parameter) {
> String[] parts = parameter.split("\\.");
> if (parts.length != 2) {
> throw new IllegalArgumentException(parameter);
> }
> try {
> String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initVerify(this.certificate);
> signature.update(localSessionId.getBytes());
> Base64.Decoder urlDecoder = Base64.getUrlDecoder();
> if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
> throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
> }
> return localSessionId;
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> } catch (SignatureException e) {
> throw new IllegalArgumentException(parameter, e);
> }
> }
> {code}
> The encoding should be specified as argument.
> Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164160&mergedDefectId=1396938
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164161&mergedDefectId=1396939
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list