dubbo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [dubbo] containerAnalyzer opened a new issue #8194: One NPE in PropertiesConfiguration.java
Date Thu, 01 Jul 2021 06:52:50 GMT

containerAnalyzer opened a new issue #8194:
URL: https://github.com/apache/dubbo/issues/8194


   Hello,
   Our static analyzer found a following potential NPE. We have checked the feasibility of
this execution trace. It is necessary to defend this vulnerability to improve the code quality.
   
   1. Return **null** to caller (Trace staring point)
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/extension/ExtensionLoader.java#L466
   
   2. Function **getDefaultExtension** executes, stores the return value to **defaultextension**
(**defaultextension** can be null) and return **defaultextension** to caller, which can be
null
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/extension/ExtensionLoader.java#L434
   
   3. Return the return value of function **getExtension** to caller
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/extension/ExtensionLoader.java#L426
   
   4. Function **add** executes and one of the elements in **orderedPropertiesProviders**
can be null
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/config/PropertiesConfiguration.java#L40
   
   5. Function **next** executes and stores the return value to **orderedPropertiesProvider**
(**orderedPropertiesProvider** can be null)
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/config/PropertiesConfiguration.java#L53
   
   6. **orderedPropertiesProvider** is passed as the **this** pointer to function **initProperties**
(**orderedPropertiesProvider** can be null), which will leak to null pointer dereference
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/config/PropertiesConfiguration.java#L54
   
   
   Commit: f26ba91b67f642148a10d3b197502e29928b77bf
   
   
   
   ContainerAnalyzer


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org


Mime
View raw message