You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Julian Leichert (JIRA)" <ji...@apache.org> on 2017/09/25 10:12:00 UTC

[jira] [Updated] (OFBIZ-9772) [FB] Package org.apache.ofbiz.product.category

     [ https://issues.apache.org/jira/browse/OFBIZ-9772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Julian Leichert updated OFBIZ-9772:
-----------------------------------
    Attachment: OFBIZ-9722_org.apache.ofbiz.product.category_bugfixes.patch

class CatalogUrlFilter
 - line 57f : changed protected to private
 - added get/set to prevent changes by malicious code

class CatalogUrlSeoFilter
 - removed static

class CatalogUrlServlet
 - removed useless Override Methods

class CategoryContentWrapper
 - removed redundant null-checks
 
class CategoryServices
 - line 240,247 : changed to valueOf to parseInt (better performance)
 - line 248 : changed catch to NumberFormatException (thrown in try-block) 

class CategoryWorker
 - removed redundant null-checks

class ControlServlet
 - changed protected to private
 - added get/set to prevent changes by malicious code

class SeoCatalogUrlServlet
 - removed useless Overrides
 
class SeoConfigUtil
 - line 234,292 :  added variable to store length (increase performance)
 - added locales
 
class SeoContentUrlFilter
 - line 46f : changed to final to prevent changes by malicious code
 - line 64 : "" to ‘‘ to increase performance

class SeoContextFilter
 - line 60 : renamed because first letter was uppercase
 - line 76 : changed keySet to entrySet to increase performance
 - multiple lines : "" to ‘‘ to increase performance
 - added locales

class SeoControlServlet
 - see changes in ControlServlet
 - added locale

> [FB] Package org.apache.ofbiz.product.category
> ----------------------------------------------
>
>                 Key: OFBIZ-9772
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9772
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: product
>    Affects Versions: Trunk
>            Reporter: Julian Leichert
>            Priority: Minor
>         Attachments: OFBIZ-9722_org.apache.ofbiz.product.category_bugfixes.patch
>
>
> CatalogUrlFilter.java:57, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> CatalogUrlFilter.java:58, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> CatalogUrlFilter.java:69, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CatalogUrlFilter.java:70, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CatalogUrlFilter.java:76, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.defaultLocaleString from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlFilter.java:77, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlFilter.redirectUrl from instance method org.apache.ofbiz.product.category.CatalogUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlSeoFilter.java:40, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> CatalogUrlSeoFilter.java:41, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> CatalogUrlSeoFilter.java:47, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CatalogUrlSeoFilter.java:48, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CatalogUrlSeoFilter.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.defaultLocaleString from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlSeoFilter.java:61, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.CatalogUrlSeoFilter.redirectUrl from instance method org.apache.ofbiz.product.category.CatalogUrlSeoFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> CatalogUrlServlet.java:47, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.CatalogUrlServlet is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> CategoryContentWrapper.java:102, RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE
> - RCN: Nullcheck of CategoryContentWrapper.categoryContentCache at line 114 of value previously dereferenced in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(GenericValue, String, Locale, String, Delegator, LocalDispatcher, String)
> A value is checked here to see whether it is null, but this value can't be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous.
> CategoryContentWrapper.java:154, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of sessionLocale, which is known to be non-null in org.apache.ofbiz.product.category.CategoryContentWrapper.getProductCategoryContentAsText(String, GenericValue, String, Locale, String, Delegator, LocalDispatcher, Writer, boolean)
> This method contains a redundant check of a known non-null value against the constant null.
> CategoryServices.java:240, DM_BOXED_PRIMITIVE_FOR_PARSING
> - Bx: Boxing/unboxing to parse a primitive org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, Map)
> A boxed primitive is created from a String, just to extract the unboxed primitive value. It is more efficient to just call the static parseXXX method.
> CategoryServices.java:245, DLS_DEAD_LOCAL_STORE
> - DLS: Dead store to viewSize in org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, Map)
> This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used.
> Note that Sun's javac compiler often generates dead stores for final local variables. Because FindBugs is a bytecode-based tool, there is no easy way to eliminate these false positives.
> CategoryServices.java:411, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of productCategoryMembers, which is known to be non-null in org.apache.ofbiz.product.category.CategoryServices.getProductCategoryAndLimitedMembers(DispatchContext, Map)
> This method contains a redundant check of a known non-null value against the constant null.
> CategoryWorker.java:61, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.getCatalogTopCategory(ServletRequest, String)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CategoryWorker.java:106, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.getRelatedCategories(ServletRequest, String, boolean)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CategoryWorker.java:228, UPM_UNCALLED_PRIVATE_METHOD
> - UPM: Private method org.apache.ofbiz.product.category.CategoryWorker.buildCountCondition(String, String) is never called
> This private method is never called. Although it is possible that the method will be invoked through reflection, it is more likely that the method is never used, and should be removed.
> CategoryWorker.java:243, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, String)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CategoryWorker.java:315, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.getTrail(ServletRequest)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CategoryWorker.java:321, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.CategoryWorker.setTrail(ServletRequest, List)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> CategoryWorker.java:408, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of subCat, which is known to be non-null in org.apache.ofbiz.product.category.CategoryWorker.getCategoryContentWrappers(Map, List, HttpServletRequest)
> This method contains a redundant check of a known non-null value against the constant null.
> ControlServlet.java:33, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.ControlServlet is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> ControlServlet.java:33, NM_SAME_SIMPLE_NAME_AS_SUPERCLASS
> - Nm: The class name org.apache.ofbiz.product.category.ControlServlet shadows the simple name of the superclass org.apache.ofbiz.webapp.control.ControlServlet
> This class has a simple name that is identical to that of its superclass, except that its superclass is in a different package (e.g., alpha.Foo extends beta.Foo). This can be exceptionally confusing, create lots of situations in which you have to look at import statements to resolve references and creates many opportunities to accidentally define methods that do not override methods in their superclasses.
> ControlServlet.java:35, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.defaultPage should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> ControlServlet.java:36, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.pageNotFound should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> ControlServlet.java:37, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.ControlServlet.controlServlet should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> ControlServlet.java:51, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.defaultPage from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> ControlServlet.java:57, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.pageNotFound from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> ControlServlet.java:65, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.ControlServlet.controlServlet from instance method org.apache.ofbiz.product.category.ControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> SeoCatalogUrlServlet.java:45, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.SeoCatalogUrlServlet is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> SeoConfigUtil.java:510, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoConfigUtil.addSpecialProductId(String)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
>     String.toUpperCase( Locale l )
>     String.toLowerCase( Locale l )
> versions instead.
> SeoContentUrlFilter.java:46, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.defaultLocaleString isn't final but should be
> This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
> SeoContentUrlFilter.java:47, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.product.category.SeoContentUrlFilter.redirectUrl isn't final but should be
> This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
> SeoContentUrlFilter.java:57, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> SeoContentUrlFilter.java:58, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.SeoContentUrlFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> SeoContextFilter.java:-1, NM_FIELD_NAMING_CONVENTION
> - Nm: The field name org.apache.ofbiz.product.category.SeoContextFilter.WebServlets doesn't start with a lower case letter
> Names of fields that are not final should be in mixed case with a lowercase first letter and the first letters of subsequent words capitalized.
> SeoContextFilter.java:78, WMI_WRONG_MAP_ITERATOR
> - WMI: org.apache.ofbiz.product.category.SeoContextFilter.init(FilterConfig) makes inefficient use of keySet iterator instead of entrySet iterator
> This method accesses the value of a Map entry, using a key that was retrieved from a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the Map.get(key) lookup.
> SeoContextFilter.java:94, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletRequest to javax.servlet.http.HttpServletRequest in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> SeoContextFilter.java:95, BC_UNCONFIRMED_CAST
> - BC: Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> This cast is unchecked, and not all instances of the type casted from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail.
> SeoContextFilter.java:181, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoContextFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
>     String.toUpperCase( Locale l )
>     String.toLowerCase( Locale l )
> versions instead.
> SeoControlServlet.java:41, SE_NO_SERIALVERSIONID
> - SnVI: org.apache.ofbiz.product.category.SeoControlServlet is Serializable; consider declaring a serialVersionUID
> This class implements the Serializable interface, but does not define a serialVersionUID field.  A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to String.class will generate a static field class$java$lang$String). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.
> SeoControlServlet.java:43, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.SeoControlServlet.defaultPage should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> SeoControlServlet.java:44, MS_PKGPROTECT
> - MS: org.apache.ofbiz.product.category.SeoControlServlet.controlServlet should be package protected
> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.
> SeoControlServlet.java:60, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.defaultPage from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> SeoControlServlet.java:68, ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD
> - ST: Write to static field org.apache.ofbiz.product.category.SeoControlServlet.controlServlet from instance method org.apache.ofbiz.product.category.SeoControlServlet.init(ServletConfig)
> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice.
> SeoControlServlet.java:77, DM_CONVERT_CASE
> - Dm: Use of non-localized String.toUpperCase() or String.toLowerCase() in org.apache.ofbiz.product.category.SeoControlServlet.doGet(HttpServletRequest, HttpServletResponse)
> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the
>     String.toUpperCase( Locale l )
>     String.toLowerCase( Locale l )
> versions instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)