Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 1.1.0.Beta26
Affects Version/s: None
Component/s: Credential Store
Labels:
None

Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/678

Description

Coverity found possible dereferencing of null value returned from resolveSSLContext() in openConnection()

https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=9564099&defectInstanceId=2359300&mergedDefectId=1389514

OAuth2CredentialSource.java

    private SSLContext resolveSSLContext() {
        if (!isHttps(tokenEndpointUri)) {
            return null;
        }
        return sslContextSupplier == null ? null : sslContextSupplier.get();
    }

    private HttpURLConnection openConnection() throws IOException {
        log.debugf("Opening connection to [%s]", tokenEndpointUri);
        HttpURLConnection connection = (HttpURLConnection) tokenEndpointUri.openConnection();

        if (isHttps(tokenEndpointUri)) {
            HttpsURLConnection https = (HttpsURLConnection) connection;

            https.setSSLSocketFactory(resolveSSLContext().getSocketFactory());
            if (hostnameVerifierSupplier != null) {
                https.setHostnameVerifier(checkNotNullParam("hostnameVerifier", hostnameVerifierSupplier.get()));
            }
        }

        return connection;
    }

NPE could probably happen if oauth2-introspection is configured with no client-ssl-context and https introspection-url.

Attachments

Issue Links

clones

JBEAP-8796 Coverity static analysis, Dereference null return value, OAuth2CredentialSource (Elytron)

Verified

Activity

People

Assignee:: Ilia Vassilev

Reporter:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2017/02/13 7:56 AM

Updated:: 2017/02/17 1:05 PM

Resolved:: 2017/02/17 1:05 PM