[jboss-jira] [JBoss JIRA] (ELY-1480) Coverity, Explicit null dereferenced in FileSystemSecurityRealm
Ilia Vassilev (JIRA)
issues at jboss.org
Fri Apr 13 10:59:00 EDT 2018
[ https://issues.jboss.org/browse/ELY-1480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13561022#comment-13561022 ]
Ilia Vassilev commented on ELY-1480:
------------------------------------
[~honza889] The attribute "algorithm" is optional in elytron-1_0_1.xsd for "credential-type" and "otp-credential-type". We use a default value when "algorithm" is null here [1], but don't you think that we need to throw an exception when parsing a password here [2]? If we don't use a default value for "algorithm", we also need to throw an exception when we parse one time password [3] and make "algorithm" required in "otp-credential-type".
[1] https://github.com/ivassile/wildfly-elytron/blob/1342021236374a3ecb9cd39a416a9fd331bbf346/src/main/java/org/wildfly/security/auth/realm/FileSystemSecurityRealm.java#L894
[2] https://github.com/ivassile/wildfly-elytron/blob/1342021236374a3ecb9cd39a416a9fd331bbf346/src/main/java/org/wildfly/security/auth/realm/FileSystemSecurityRealm.java#L930
[3] https://github.com/ivassile/wildfly-elytron/blob/1342021236374a3ecb9cd39a416a9fd331bbf346/src/main/java/org/wildfly/security/auth/realm/FileSystemSecurityRealm.java#L985
> Coverity, Explicit null dereferenced in FileSystemSecurityRealm
> ---------------------------------------------------------------
>
> Key: ELY-1480
> URL: https://issues.jboss.org/browse/ELY-1480
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Client
> Affects Versions: 1.2.0.Beta11
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
>
> There are 2 occurences of call to PasswordFactory.getInstance(algorithm) in FileSystemSecurityRealm where algorithm can be null, because algorithm is optional in wildfly-config.xml
> {code:xml|title=elytron-1_0_1.xsd}
> <xsd:complexType name="credential-type">
> <xsd:simpleContent>
> <xsd:extension base="xsd:string">
> <xsd:attribute name="algorithm" type="xsd:string" use="optional"/>
> <xsd:attribute name="format" type="xsd:string" use="optional"/>
> </xsd:extension>
> </xsd:simpleContent>
> </xsd:complexType>
> <xsd:complexType name="otp-credential-type">
> <xsd:simpleContent>
> <xsd:extension base="xsd:string">
> <xsd:attribute name="algorithm" type="xsd:string" use="optional"/>
> <xsd:attribute name="hash" type="xsd:string" use="optional"/>
> <xsd:attribute name="seed" type="xsd:string" use="optional"/>
> <xsd:attribute name="sequence" type="xsd:string" use="optional"/>
> </xsd:extension>
> </xsd:simpleContent>
> </xsd:complexType>
> {code}
> Algorithm is dereferenced in PasswordFactory.getInstance(algorithm) down in
> {code:java|title=java.security.Provider$ServiceKey.java}
> private ServiceKey(String type, String algorithm, boolean intern) {
> this.type = type;
> this.originalAlgorithm = algorithm;
> algorithm = algorithm.toUpperCase(ENGLISH);
> this.algorithm = intern ? algorithm.intern() : algorithm;
> }
> {code}
> [1] https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=44847809&defectInstanceId=9457601&mergedDefectId=1463442
> [2] https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=44847809&defectInstanceId=9457602&mergedDefectId=1463441
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list