You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by GitBox <gi...@apache.org> on 2021/06/15 14:48:54 UTC
[GitHub] [struts] containerAnalyzer opened a new pull request #491: Fix NPE in XmlConfigurationProvider.java
containerAnalyzer opened a new pull request #491:
URL: https://github.com/apache/struts/pull/491
Hello,
Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality.
Here is the bug trace.
1. Return **null** to caller
https://github.com/apache/struts/blob/cb318cdc749f40a06eaaeed789a047f385a55480/core/src/main/java/com/opensymphony/xwork2/util/DomHelper.java#L226
2. Function **getDocument** executes and the return value can be **null**
https://github.com/apache/struts/blob/cb318cdc749f40a06eaaeed789a047f385a55480/core/src/main/java/com/opensymphony/xwork2/util/DomHelper.java#L123
3. Function **parse** executes and pass the return value as the parameter of **add**, which can be **null**
https://github.com/apache/struts/blob/cb318cdc749f40a06eaaeed789a047f385a55480/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java#L1080
4. Function **add** executes. One of the elements in **docs** can be **null**
https://github.com/apache/struts/blob/cb318cdc749f40a06eaaeed789a047f385a55480/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java#L1080
5. Function **next** executes and stores the return value to **doc** (doc can be null)
https://github.com/apache/struts/blob/cb318cdc749f40a06eaaeed789a047f385a55480/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java#L1108
6. **doc** is passed as the **this** pointer to function **getDocumentElement** (**doc** can be **null**), which will lead to null pointer dereference
https://github.com/apache/struts/blob/cb318cdc749f40a06eaaeed789a047f385a55480/core/src/main/java/com/opensymphony/xwork2/config/providers/XmlConfigurationProvider.java#L1109
Commit: cb318cdc749f40a06eaaeed789a047f385a55480
We have fixed this NPE in this PR. Please confirm and merge it to make the code more reliable. Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
[GitHub] [struts] coveralls commented on pull request #491: Fix NPE in XmlConfigurationProvider.java
Posted by GitBox <gi...@apache.org>.
coveralls commented on pull request #491:
URL: https://github.com/apache/struts/pull/491#issuecomment-861580977
[](https://coveralls.io/builds/40601045)
Coverage increased (+0.002%) to 49.916% when pulling **621fea935b61b549ae9f547f704d3c75781515ea on containerAnalyzer:master** into **eab033c7f057bd587cdc7a0d609bed4226612685 on apache:master**.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [struts] lukaszlenart merged pull request #491: Fix NPE in XmlConfigurationProvider.java
Posted by GitBox <gi...@apache.org>.
lukaszlenart merged pull request #491:
URL: https://github.com/apache/struts/pull/491
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org