[jira] [Commented] (QPID-8553) [Broker-J] HP Fortify: Weak SecurityManager Check: Overridable Method

Thu, 05 Aug 2021 04:05:07 -0700 


    [ 
https://issues.apache.org/jira/browse/QPID-8553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17393801#comment-17393801
 ] 

ASF subversion and git services commented on QPID-8553:
-------------------------------------------------------

Commit 699992564fbb9231b5db5d5831540bafaafbc40f in qpid-broker-j's branch 
refs/heads/main from dakirily
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=6999925 ]

QPID-8553 - [Broker-J] Improve code with final keywords

This closes #104


> [Broker-J] HP Fortify: Weak SecurityManager Check: Overridable Method
> ---------------------------------------------------------------------
>
>                 Key: QPID-8553
>                 URL: https://issues.apache.org/jira/browse/QPID-8553
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-8.0.5
>            Reporter: Daniil Kirilyuk
>            Priority: Minor
>             Fix For: qpid-java-broker-9.0.0
>
>
> HP Fortify complains that classes defining security may be overridden by 
> sub-classes and thereby by-passing the security features:
> broker-plugins/access-control/src/main/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java
> Line 58 newToken() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> Line 75 authorise() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
> Line 1022 getConnectionMetaData() - Non-final methods that perform security 
> checks may be overridden in ways that bypass security checks.
> Line 1046 getGroups() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> broker-plugins/management-http/src/main/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
> Line 79 doGet() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> broker-plugins/amqp-0-8-protocol/org/apache/qpid/server/protocol/v0_8/AMQPConnection_0_8Impl.java
> Line 699 readerIdle() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> Executes privileged action.
> broker-plugins/logging-logback/src/main/org/apache/qpid/server/logging/logback/ConnectionAndUserPredicate.java
> Line 43 evaluate() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> broker-plugins/amqp-1-0-protocol/src/main/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java
> Line 444 receive() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> Line 1269 readerIdle() - Non-final methods that perform security checks may 
> be overridden in ways that bypass security checks.
> Line 1340 receivedComplete() - Non-final methods that perform security checks 
> may be overridden in ways that bypass security checks.
> broker-plugins/amqp-0-8-protocol/src/main/org/apache/qpid/server/protocol/v0_8/BrokerDecoder.java
> Line 78 processAMQPFrames() - Non-final methods that perform security checks 
> may be overridden in ways that bypass security checks.
> Executes privileged action.
> broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java
> Line 68 newToken() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerAssembler.java
> Line 72 received() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> Executes privileged action.
> broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/AMQPConnection_0_10Impl.java
> Line 165 readerIdle() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> Line 182 closed() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> Executes privileged action.
> broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ProxyMessageSource.java
> Line 152 addConsumer() - Non-final methods that perform security checks may 
> be overridden in ways that bypass security checks.
> broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
> Line 172 getProxyNode() - Non-final methods that perform security checks may 
> be overridden in ways that bypass security checks.
> broker-plugins/logging-logback/src/main/java/org/apache/qpid/server/logging/logback/PrincipalLogEventFilter.java
> Line 43 decide() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.
> broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java
> Line 303 receivedComplete() - Non-final methods that perform security checks 
> may be overridden in ways that bypass security checks.
> broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
> Line 359 onOpen() - Non-final methods that perform security checks may be 
> overridden in ways that bypass security checks.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to