Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11424

Coverity, Dereference null return value, JdbcSecurityRealm (Elytron)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.1.0.ER3
    • 7.1.0.DR19
    • Security
    • None

      Coverity found possible dereference of null.

      executePrincipalQuery() can return null and credential.matches() is called without check

      JdbcSecurityRealm.java
           @Override
156        public <C extends Credential> C getCredential(final Class<C> credentialType, final String algorithmName, final AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException {
157            Assert.checkNotNullParam("credentialType", credentialType);
158            for (QueryConfiguration configuration : JdbcSecurityRealm.this.queryConfiguration) {
159                for (KeyMapper keyMapper : configuration.getColumnMappers(KeyMapper.class)) {
160                    if (keyMapper.getCredentialAcquireSupport(credentialType, algorithmName, parameterSpec).mayBeSupported()) {
161                        final Credential credential = executePrincipalQuery(configuration, r -> keyMapper.map(r, providers));
162                        if (credential.matches(credentialType, algorithmName, parameterSpec)) {
163                            return credentialType.cast(credential);
164                        }
165                    }
166                }
167            }
168
169            return null;
170        }

      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=22329013&defectInstanceId=5071812&mergedDefectId=1440468

              rhn-support-ivassile Ilia Vassilev
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: