[jboss-jira] [JBoss JIRA] (ELY-954) Coverity static analysis, Dereference null return value, OAuth2CredentialSource (Elytron)

Ilia Vassilev (JIRA) issues at jboss.org
Tue Feb 14 11:51:00 EST 2017 

     [ https://issues.jboss.org/browse/ELY-954?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ilia Vassilev moved WFLY-8095 to ELY-954:
-----------------------------------------

        Project: WildFly Elytron  (was: WildFly)
            Key: ELY-954  (was: WFLY-8095)
    Component/s: Credential Store
                     (was: Security)


> Coverity static analysis, Dereference null return value, OAuth2CredentialSource (Elytron)
> -----------------------------------------------------------------------------------------
>
>                 Key: ELY-954
>                 URL: https://issues.jboss.org/browse/ELY-954
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Credential Store
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>            Priority: Critical
>
> Coverity found possible dereferencing of null value returned from {{resolveSSLContext()}} in {{openConnection()}}
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=9564099&defectInstanceId=2359300&mergedDefectId=1389514
> {code:java|title=OAuth2CredentialSource.java}
>     private SSLContext resolveSSLContext() {
>         if (!isHttps(tokenEndpointUri)) {
>             return null;
>         }
>         return sslContextSupplier == null ? null : sslContextSupplier.get();
>     }
>     private HttpURLConnection openConnection() throws IOException {
>         log.debugf("Opening connection to [%s]", tokenEndpointUri);
>         HttpURLConnection connection = (HttpURLConnection) tokenEndpointUri.openConnection();
>         if (isHttps(tokenEndpointUri)) {
>             HttpsURLConnection https = (HttpsURLConnection) connection;
>             https.setSSLSocketFactory(resolveSSLContext().getSocketFactory());
>             if (hostnameVerifierSupplier != null) {
>                 https.setHostnameVerifier(checkNotNullParam("hostnameVerifier", hostnameVerifierSupplier.get()));
>             }
>         }
>         return connection;
>     }
> {code}
> NPE could probably happen if {{oauth2-introspection}} is configured with no {{client-ssl-context}} and https {{introspection-url}}.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list