ouyangnengda commented on issue #8196: URL: https://github.com/apache/dubbo/issues/8196#issuecomment-876141969
> Hello, > Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality. > > 1. Return **null** to caller (Trace staring point) > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69 > 2. Function **parseURL** executes and returns > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174 > 3. Function **add** executes and **registries** contains **null** value > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174 > 4. Function **parseURLs** executes and returns the **registries**, assigning it to **urls** > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206 > 5. Function **next** executes and returns **null** value > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208 > 6. The return value of function **next** is used as the 1st parameter in function from (the return value of function **next** can be **null**) > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L210 > 7. **url** is passed as the this pointer to function **getProtocol** (**url** can be null), which will leak to null pointer dereference > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/URLBuilder.java#L108 > > Commit: [f26ba91](https://github.com/apache/dubbo/commit/f26ba91b67f642148a10d3b197502e29928b77bf) > > ContainerAnalyzer > Hello, > Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality. > > 1. Return **null** to caller (Trace staring point) > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L69 > 2. Function **parseURL** executes and returns > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174 > 3. Function **add** executes and **registries** contains **null** value > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/utils/UrlUtils.java#L174 > 4. Function **parseURLs** executes and returns the **registries**, assigning it to **urls** > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L206 > 5. Function **next** executes and returns **null** value > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L208 > 6. The return value of function **next** is used as the 1st parameter in function from (the return value of function **next** can be **null**) > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-config/dubbo-config-api/src/main/java/org/apache/dubbo/config/utils/ConfigValidationUtils.java#L210 > 7. **url** is passed as the this pointer to function **getProtocol** (**url** can be null), which will leak to null pointer dereference > https://github.com/apache/dubbo/blob/f26ba91b67f642148a10d3b197502e29928b77bf/dubbo-common/src/main/java/org/apache/dubbo/common/URLBuilder.java#L108 > > Commit: [f26ba91](https://github.com/apache/dubbo/commit/f26ba91b67f642148a10d3b197502e29928b77bf) > > ContainerAnalyzer What's the Dubbo version? Dubbo 版本号多少? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
