[jboss-jira] [JBoss JIRA] (WFLY-7953) Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
Martin Choma (JIRA)
issues at jboss.org
Tue Jan 24 08:47:00 EST 2017
[ https://issues.jboss.org/browse/WFLY-7953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Choma updated WFLY-7953:
-------------------------------
Description:
Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
Following code
{code:java|title=DefaultSingleSignOnSessionFactory.java}
@Override
public String createLogoutParameter(String sessionId) {
try {
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initSign(this.privateKey);
Base64.Encoder urlEncoder = Base64.getUrlEncoder();
return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
}
}
@Override
public String verifyLogoutParameter(String parameter) {
String[] parts = parameter.split("\\.");
if (parts.length != 2) {
throw new IllegalArgumentException(parameter);
}
try {
String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initVerify(this.certificate);
signature.update(localSessionId.getBytes());
Base64.Decoder urlDecoder = Base64.getUrlDecoder();
if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
}
return localSessionId;
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
} catch (SignatureException e) {
throw new IllegalArgumentException(parameter, e);
}
}
{code}
The encoding should be specified as argument.
Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164160&mergedDefectId=1396938
https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164161&mergedDefectId=1396939
was:
Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
Following code
{code:java|title=DefaultSingleSignOnSessionFactory.java}
@Override
public String createLogoutParameter(String sessionId) {
try {
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initSign(this.privateKey);
Base64.Encoder urlEncoder = Base64.getUrlEncoder();
return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
}
}
@Override
public String verifyLogoutParameter(String parameter) {
String[] parts = parameter.split("\\.");
if (parts.length != 2) {
throw new IllegalArgumentException(parameter);
}
try {
String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initVerify(this.certificate);
signature.update(localSessionId.getBytes());
Base64.Decoder urlDecoder = Base64.getUrlDecoder();
if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
}
return localSessionId;
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
} catch (SignatureException e) {
throw new IllegalArgumentException(parameter, e);
}
}
{code}
The encoding should be specified as argument.
Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
> Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
> -----------------------------------------------------------------------------
>
> Key: WFLY-7953
> URL: https://issues.jboss.org/browse/WFLY-7953
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
> Following code
> {code:java|title=DefaultSingleSignOnSessionFactory.java}
> @Override
> public String createLogoutParameter(String sessionId) {
> try {
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initSign(this.privateKey);
> Base64.Encoder urlEncoder = Base64.getUrlEncoder();
> return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> }
> }
>
> @Override
> public String verifyLogoutParameter(String parameter) {
> String[] parts = parameter.split("\\.");
> if (parts.length != 2) {
> throw new IllegalArgumentException(parameter);
> }
> try {
> String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initVerify(this.certificate);
> signature.update(localSessionId.getBytes());
> Base64.Decoder urlDecoder = Base64.getUrlDecoder();
> if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
> throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
> }
> return localSessionId;
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> } catch (SignatureException e) {
> throw new IllegalArgumentException(parameter, e);
> }
> }
> {code}
> The encoding should be specified as argument.
> Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164160&mergedDefectId=1396938
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8675870&defectInstanceId=2164161&mergedDefectId=1396939
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list