You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@dubbo.apache.org by GitBox <gi...@apache.org> on 2021/07/01 07:04:57 UTC
[GitHub] [dubbo] containerAnalyzer opened a new issue #8196: One NPE in URLBuilder.java
containerAnalyzer opened a new issue #8196:
URL: https://github.com/apache/dubbo/issues/8196
Hello,
Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality.
1. Return **null** to caller (Trace staring point)
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69
2. Function **parseURL** executes and returns
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
3. Function **add** executes and **registries** contains **null** value
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
4. Function **parseURLs** executes and returns the **registries**, assigning it to **urls**
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206
5. Function **next** executes and returns **null** value
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208
6. The return value of function **next** is used as the 1st parameter in function from (the return value of function **next** can be **null**)
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L210
7. **url** is passed as the this pointer to function **getProtocol** (**url** can be null), which will leak to null pointer dereference
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/URLBuilder.java#L108
Commit: f26ba91b67f642148a10d3b197502e29928b77bf
ContainerAnalyzer
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo] wangchengming666 commented on issue #8196: One NPE in URLBuilder.java
Posted by GitBox <gi...@apache.org>.
wangchengming666 commented on issue #8196:
URL: https://github.com/apache/dubbo/issues/8196#issuecomment-945278465
I'll fix it
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo] colin-ife-snyk commented on issue #8196: One NPE in URLBuilder.java
Posted by GitBox <gi...@apache.org>.
colin-ife-snyk commented on issue #8196:
URL: https://github.com/apache/dubbo/issues/8196#issuecomment-922966763
Has this been fixed?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo] ouyangnengda commented on issue #8196: One NPE in URLBuilder.java
Posted by GitBox <gi...@apache.org>.
ouyangnengda commented on issue #8196:
URL: https://github.com/apache/dubbo/issues/8196#issuecomment-876141969
> Hello,
> Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality.
>
> 1. Return **null** to caller (Trace staring point)
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69
> 2. Function **parseURL** executes and returns
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
> 3. Function **add** executes and **registries** contains **null** value
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
> 4. Function **parseURLs** executes and returns the **registries**, assigning it to **urls**
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206
> 5. Function **next** executes and returns **null** value
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208
> 6. The return value of function **next** is used as the 1st parameter in function from (the return value of function **next** can be **null**)
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L210
> 7. **url** is passed as the this pointer to function **getProtocol** (**url** can be null), which will leak to null pointer dereference
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/URLBuilder.java#L108
>
> Commit: [f26ba91](https://github.com/apache/dubbo/commit/f26ba91b67f642148a10d3b197502e29928b77bf)
>
> ContainerAnalyzer
> Hello,
> Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality.
>
> 1. Return **null** to caller (Trace staring point)
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69
> 2. Function **parseURL** executes and returns
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
> 3. Function **add** executes and **registries** contains **null** value
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
> 4. Function **parseURLs** executes and returns the **registries**, assigning it to **urls**
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206
> 5. Function **next** executes and returns **null** value
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208
> 6. The return value of function **next** is used as the 1st parameter in function from (the return value of function **next** can be **null**)
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L210
> 7. **url** is passed as the this pointer to function **getProtocol** (**url** can be null), which will leak to null pointer dereference
> https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/URLBuilder.java#L108
>
> Commit: [f26ba91](https://github.com/apache/dubbo/commit/f26ba91b67f642148a10d3b197502e29928b77bf)
>
> ContainerAnalyzer
What's the Dubbo version?
Dubbo 版本号多少?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo] chickenlj commented on issue #8196: One NPE in URLBuilder.java
Posted by GitBox <gi...@apache.org>.
chickenlj commented on issue #8196:
URL: https://github.com/apache/dubbo/issues/8196#issuecomment-899174205
Any update?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo] wangchengming666 edited a comment on issue #8196: One NPE in URLBuilder.java
Posted by GitBox <gi...@apache.org>.
wangchengming666 edited a comment on issue #8196:
URL: https://github.com/apache/dubbo/issues/8196#issuecomment-945278465
on branch 3.0 maybe fix by #8208.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo] CrazyHZM closed issue #8196: One NPE in URLBuilder.java
Posted by GitBox <gi...@apache.org>.
CrazyHZM closed issue #8196:
URL: https://github.com/apache/dubbo/issues/8196
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo] MartianQiu commented on issue #8196: One NPE in URLBuilder.java
Posted by GitBox <gi...@apache.org>.
MartianQiu commented on issue #8196:
URL: https://github.com/apache/dubbo/issues/8196#issuecomment-872871846
I will fix it ASAP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org