Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.1.0.DR12
Affects Version/s: 7.1.0.DR8
Component/s: Security
Labels:

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Coverity static-analysis scan found possible call on null object in SingleSignOnServerMechanismFactory.evaluateRequst() method:

getTargetMechanism(mechanismName, singleSignOnSession).evaluateRequest(createHttpServerRequest(request, singleSignOnSession));

https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760259&defectInstanceId=1541379&mergedDefectId=1369284

The problem is the getTargetMechanism call, which just calls an HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() method.

The createAuthenticationMechanism doesn't declare it could return null, nevertheless, the implementations use null as fallback (e.g. look at ServerMechanismFactoryImpl.createAuthenticationMechanism())

Suggested improvement
I see 2 possible solutions:
1. Declare in javadoc of HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() method, that it can return null and add the null-check into the SingleSignOnServerMechanismFactory.evaluateRequst() method
2. or throw an exception from HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() implementations instead of returning null

is cloned by

ELY-738 Coverity static analysis: Dereference null return value in SingleSignOnServerMechanismFactory (Elytron)

Resolved

Assignee:: Ilia Vassilev

Reporter:: Josef Cacek (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2016/11/11 7:17 AM

Updated:: 2024/09/13 4:07 PM

Resolved:: 2017/02/17 6:11 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates