[GitHub] [dubbo] containerAnalyzer opened a new issue #8197: One NPE in ConfigValidationUtils.java

Thu, 01 Jul 2021 00:11:17 -0700 


containerAnalyzer opened a new issue #8197:
URL: https://github.com/apache/dubbo/issues/8197


   Hello,
   Our static analyzer found a following potential NPE. We have checked the 
feasibility of this execution trace. It is necessary to defend this 
vulnerability to improve the code quality.
   This issue has a similar bug trace as the one in #8194 
   
   1. Return **null** to caller 
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69
   
   2. Function **parseURL** executes and returns
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   3. Function **add** executes and **registries** can contains **null** value
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174
   
   4. Program reaches the return point, and **registries** is the return value, 
which contains **null** value
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L176
   
   5. Function **parseURLs** executes and returns
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206
   
   6. Function **next** executes and returns **null** value
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208
   
   7. The return value of function **next** is passed as the this pointer to 
function **getProtocol** (the return value of function **next** can be 
**null**), which will leak to null pointer dereference
   
https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L211
   
   
   Commit: f26ba91b67f642148a10d3b197502e29928b77bf
   
   
   
   ContainerAnalyzer


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to