You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2015/12/15 16:03:46 UTC

[jira] [Created] (KARAF-4199) Privacy Violation: Heap Inspection

Eduardo Aguinaga created KARAF-4199:
---------------------------------------

             Summary: Privacy Violation: Heap Inspection
                 Key: KARAF-4199
                 URL: https://issues.apache.org/jira/browse/KARAF-4199
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 4.0.3
            Reporter: Eduardo Aguinaga


HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.

The method interactive() in Main.java stores sensitive data in a String object on line 127, making it impossible to reliably purge the data from memory.

Main.java, lines 120-137:
120 public String[] interactive(String destination, String name, String instruction, String[] prompt, boolean[] echo) {
121     String[] answers = new String[prompt.length];
122     try {
123         for (int i = 0; i < prompt.length; i++) {
124             if (echo[i]) {
125                 answers[i] = console.readLine(prompt[i] + " ");
126             } else {
127                 answers[i] = new String(console.readPassword(prompt[i] + " "));
128             }
129             if (answers[i] == null) {
130                 return null;
131             }
132         }
133         return answers;
134     } catch (IOError e) {
135         return null;
136     }
137 }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)