[jboss-jira] [JBoss JIRA] (WFLY-7953) Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory

Martin Choma (JIRA) issues at jboss.org
Tue Jan 24 08:41:01 EST 2017 

Martin Choma created WFLY-7953:
----------------------------------

             Summary: Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
                 Key: WFLY-7953
                 URL: https://issues.jboss.org/browse/WFLY-7953
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
            Priority: Critical


Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.

Following code

{code:java|title=DefaultSingleSignOnSessionFactory.java}
    @Override
    public String createLogoutParameter(String sessionId) {
        try {
            Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);

            signature.initSign(this.privateKey);

            Base64.Encoder urlEncoder = Base64.getUrlEncoder();

            return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            throw new IllegalStateException(e);
        }
    }
    
    @Override
    public String verifyLogoutParameter(String parameter) {
        String[] parts = parameter.split("\\.");
        if (parts.length != 2) {
            throw new IllegalArgumentException(parameter);
        }
        try {
            String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
            Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);

            signature.initVerify(this.certificate);
            signature.update(localSessionId.getBytes());

            Base64.Decoder urlDecoder = Base64.getUrlDecoder();

            if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
                throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
            }

            return localSessionId;
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            throw new IllegalStateException(e);
        } catch (SignatureException e) {
            throw new IllegalArgumentException(parameter, e);
        }
    }
{code}                                                                                                                                                                                                             

The encoding should be specified as argument.

Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality  do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.






--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list