[jboss-jira] [JBoss JIRA] (WFLY-8095) Coverity static analysis, Dereference null return value, OAuth2CredentialSource (Elytron)
Martin Choma (JIRA)
issues at jboss.org
Mon Feb 13 07:57:01 EST 2017
Martin Choma created WFLY-8095:
----------------------------------
Summary: Coverity static analysis, Dereference null return value, OAuth2CredentialSource (Elytron)
Key: WFLY-8095
URL: https://issues.jboss.org/browse/WFLY-8095
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
Coverity found possible dereferencing of null value returned from {{resolveSSLContext()}} in {{openConnection()}}
https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=9564099&defectInstanceId=2359300&mergedDefectId=1389514
{code:java|title=OAuth2CredentialSource.java}
private SSLContext resolveSSLContext() {
if (!isHttps(tokenEndpointUri)) {
return null;
}
return sslContextSupplier == null ? null : sslContextSupplier.get();
}
private HttpURLConnection openConnection() throws IOException {
log.debugf("Opening connection to [%s]", tokenEndpointUri);
HttpURLConnection connection = (HttpURLConnection) tokenEndpointUri.openConnection();
if (isHttps(tokenEndpointUri)) {
HttpsURLConnection https = (HttpsURLConnection) connection;
https.setSSLSocketFactory(resolveSSLContext().getSocketFactory());
if (hostnameVerifierSupplier != null) {
https.setHostnameVerifier(checkNotNullParam("hostnameVerifier", hostnameVerifierSupplier.get()));
}
}
return connection;
}
{code}
NPE could probably happen if {{oauth2-introspection}} is configured with no {{client-ssl-context}} and https {{introspection-url}}.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list