You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Julian Leichert (JIRA)" <ji...@apache.org> on 2017/09/14 11:26:00 UTC
[jira] [Updated] (OFBIZ-9723) [FB] Package
org.apache.ofbiz.entity.datasource
[ https://issues.apache.org/jira/browse/OFBIZ-9723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Julian Leichert updated OFBIZ-9723:
-----------------------------------
Attachment: OFBIZ-9723_org.apache.ofbiz.entity.datasource_bugfixes.patch
class GenericDAO
- removed redundant null-checks on modelEntity and viewHavingEntityCondition
- removed useless object collist
class GenericHelperFactory
- Line 38 : changed to final, to prevent changes by malicious code
- Line 82 : changed to multi-catch
> [FB] Package org.apache.ofbiz.entity.datasource
> -----------------------------------------------
>
> Key: OFBIZ-9723
> URL: https://issues.apache.org/jira/browse/OFBIZ-9723
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Julian Leichert
> Priority: Minor
> Attachments: OFBIZ-9723_org.apache.ofbiz.entity.datasource_bugfixes.patch
>
>
> GenericDAO.java:108, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in org.apache.ofbiz.entity.datasource.GenericDAO.insert(GenericEntity)
> This method contains a redundant check of a known non-null value against the constant null.
> GenericDAO.java:171, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.singleInsert(GenericEntity, ModelEntity, List, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:187, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in org.apache.ofbiz.entity.datasource.GenericDAO.updateAll(GenericEntity)
> This method contains a redundant check of a known non-null value against the constant null.
> GenericDAO.java:197, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in org.apache.ofbiz.entity.datasource.GenericDAO.update(GenericEntity)
> This method contains a redundant check of a known non-null value against the constant null.
> GenericDAO.java:277, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.singleUpdate(GenericEntity, ModelEntity, List, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:331, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.updateByCondition(ModelEntity, Map, EntityCondition, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:501, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in org.apache.ofbiz.entity.datasource.GenericDAO.select(GenericEntity, SQLProcessor)
> This method contains a redundant check of a known non-null value against the constant null.
> GenericDAO.java:521, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.select(GenericEntity, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:547, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE, Priorität: Normal
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in org.apache.ofbiz.entity.datasource.GenericDAO.partialSelect(GenericEntity, Set)
> This method contains a redundant check of a known non-null value against the constant null.
> GenericDAO.java:592, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.partialSelect(GenericEntity, Set)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:763, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.selectListIteratorByCondition(Delegator, ModelEntity, EntityCondition, EntityCondition, Collection, List, EntityFindOptions)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:854, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
> - RCN: Redundant nullcheck of viewHavingEntityCondition, which is known to be non-null in org.apache.ofbiz.entity.datasource.GenericDAO.makeConditionHavingString(StringBuilder, String, ModelEntity, EntityCondition, List, List)
> This method contains a redundant check of a known non-null value against the constant null.
> GenericDAO.java:913, UC_USELESS_OBJECT
> Useless object created
> Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.
> This analysis rarely produces false-positives. Common false-positive cases include:
> - This object used to implicitly throw some obscure exception.
> - This object used as a stub to generalize the code.
> - This object used to hold strong references to weak/soft-referenced objects.
> GenericDAO.java:976, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.selectByMultiRelation(GenericValue, ModelRelation, ModelEntity, ModelRelation, ModelEntity, List)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:1106, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.selectCountByCondition(Delegator, ModelEntity, EntityCondition, EntityCondition, List, EntityFindOptions)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:1161, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE, Priorität: Normal
> - RCN: Redundant nullcheck of modelEntity, which is known to be non-null in org.apache.ofbiz.entity.datasource.GenericDAO.delete(GenericEntity, SQLProcessor)
> This method contains a redundant check of a known non-null value against the constant null.
> GenericDAO.java:1174, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.delete(GenericEntity, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericDAO.java:1212, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
> - SQL: A prepared statement is generated from a nonconstant String in org.apache.ofbiz.entity.datasource.GenericDAO.deleteByCondition(ModelEntity, EntityCondition, SQLProcessor)
> The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
> GenericHelperFactory.java:38, MS_SHOULD_BE_FINAL
> - MS: org.apache.ofbiz.entity.datasource.GenericHelperFactory.helperCache isn't final but should be
> This static field public but not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.
> GenericHelperFactory.java:81, NP_NULL_ON_SOME_PATH
> - NP: Possible null pointer dereference of helperConstructor in org.apache.ofbiz.entity.datasource.GenericHelperFactory.getHelper(GenericHelperInfo)
> There is a branch of statement that, if executed, guarantees that a null value will be dereferenced, which would generate a NullPointerException when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the null pointer exception can't ever be executed; deciding that is beyond the ability of FindBugs.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)