You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@dubbo.apache.org by GitBox <gi...@apache.org> on 2021/07/01 07:11:11 UTC

[GitHub] [dubbo] containerAnalyzer opened a new issue #8197: One NPE in ConfigValidationUtils.java

containerAnalyzer opened a new issue #8197:
URL: https://github.com/apache/dubbo/issues/8197


   Hello,
   Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality.
   This issue has a similar bug trace as the one in #8194 
   
   1. Return **null** to caller 
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69
   
   2. Function **parseURL** executes and returns
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   3. Function **add** executes and **registries** can contains **null** value
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   4. Program reaches the return point, and **registries** is the return value, which contains **null** value
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L176
   
   5. Function **parseURLs** executes and returns
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206
   
   6. Function **next** executes and returns **null** value
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208
   
   7. The return value of function **next** is passed as the this pointer to function **getProtocol** (the return value of function **next** can be **null**), which will leak to null pointer dereference
   https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L211
   
   
   Commit: f26ba91b67f642148a10d3b197502e29928b77bf
   
   
   
   ContainerAnalyzer


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] horizonzy removed a comment on issue #8197: One NPE in ConfigValidationUtils.java

Posted by GitBox <gi...@apache.org>.

horizonzy removed a comment on issue #8197:
URL: https://github.com/apache/dubbo/issues/8197#issuecomment-872713284


   I will fix it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] horizonzy closed issue #8197: One NPE in ConfigValidationUtils.java

Posted by GitBox <gi...@apache.org>.

horizonzy closed issue #8197:
URL: https://github.com/apache/dubbo/issues/8197


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] fangliji commented on issue #8197: One NPE in ConfigValidationUtils.java

Posted by GitBox <gi...@apache.org>.

fangliji commented on issue #8197:
URL: https://github.com/apache/dubbo/issues/8197#issuecomment-873010342


   I will fix it


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] horizonzy commented on issue #8197: One NPE in ConfigValidationUtils.java

Posted by GitBox <gi...@apache.org>.

horizonzy commented on issue #8197:
URL: https://github.com/apache/dubbo/issues/8197#issuecomment-899178399


   it fixed by #8208 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] horizonzy commented on issue #8197: One NPE in ConfigValidationUtils.java

Posted by GitBox <gi...@apache.org>.

horizonzy commented on issue #8197:
URL: https://github.com/apache/dubbo/issues/8197#issuecomment-872713284


   I will fix it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] chickenlj commented on issue #8197: One NPE in ConfigValidationUtils.java

Posted by GitBox <gi...@apache.org>.

chickenlj commented on issue #8197:
URL: https://github.com/apache/dubbo/issues/8197#issuecomment-899173436


   Is there any progresss on this issue? @fangliji 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org