[GitHub] [dubbo] containerAnalyzer opened a new issue #8196: One NPE in URLBuilder.java

Thu, 01 Jul 2021 00:05:03 -0700 


containerAnalyzer opened a new issue #8196:
URL: https://github.com/apache/dubbo/issues/8196


   Hello,
   Our static analyzer found a following potential NPE. We have checked the 
feasibility of this execution trace. It is necessary to defend this 
vulnerability to improve the code quality.
   
   1. Return **null** to caller (Trace staring point)
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69
   
   2. Function **parseURL** executes and returns
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   3. Function **add** executes and **registries** contains **null** value
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   4. Function **parseURLs** executes and returns the **registries**, assigning 
it to **urls** 
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206
   
   5. Function **next** executes and returns **null** value
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208
   
   6. The return value of function **next** is used as the 1st parameter in 
function from (the return value of function **next** can be **null**)
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L210
   
   7. **url** is passed as the this pointer to function **getProtocol** 
(**url** can be null), which will leak to null pointer dereference
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/URLBuilder.java#L108
   
   Commit: f26ba91b67f642148a10d3b197502e29928b77bf
   
   
   ContainerAnalyzer


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to