dubbo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [dubbo] containerAnalyzer opened a new issue #8197: One NPE in ConfigValidationUtils.java
Date Thu, 01 Jul 2021 07:11:11 GMT

containerAnalyzer opened a new issue #8197:
URL: https://github.com/apache/dubbo/issues/8197


   Hello,
   Our static analyzer found a following potential NPE. We have checked the feasibility of
this execution trace. It is necessary to defend this vulnerability to improve the code quality.
   This issue has a similar bug trace as the one in #8194 
   
   1. Return **null** to caller 
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69
   
   2. Function **parseURL** executes and returns
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   3. Function **add** executes and **registries** can contains **null** value
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   4. Program reaches the return point, and **registries** is the return value, which contains
**null** value
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L176
   
   5. Function **parseURLs** executes and returns
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206
   
   6. Function **next** executes and returns **null** value
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208
   
   7. The return value of function **next** is passed as the this pointer to function **getProtocol**
(the return value of function **next** can be **null**), which will leak to null pointer dereference
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L211
   
   
   Commit: f26ba91b67f642148a10d3b197502e29928b77bf
   
   
   
   ContainerAnalyzer


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org


Mime
View raw message