[ 
https://issues.apache.org/jira/browse/GROOVY-11522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17898579#comment-17898579
 ] 

Zaki commented on GROOVY-11522:
-------------------------------

Thanks [~paulk] for your response and test script.

I assumed this probably wouldn't happen in normal use cases so I set the 
priority to minor. Nevertheless I wanted to bring it into your attention and 
let you decide if it is something you would want to fix.

> Possible Null Pointer Dereference in VariableScopeVisitor.java
> --------------------------------------------------------------
>
>                 Key: GROOVY-11522
>                 URL: https://issues.apache.org/jira/browse/GROOVY-11522
>             Project: Groovy
>          Issue Type: Bug
>            Reporter: Zaki
>            Priority: Minor
>
> h1. {color:#172b4d}Overview{color}
> {color:#172b4d}In file: 
> [*VariableScopeVisitor.java*|https://github.com/apache/groovy/blob/master/src/main/java/org/codehaus/groovy/classgen/VariableScopeVisitor.java#L649],
>  there is a potential case of null pointer dereference. In method 
> {{*visitFieldExpression*}} inside class {{{}*VariableScopeVisitor*{}}}, there 
> is a call to {{*checkVariableContextAccess*}} which passes {{*variable*}} as 
> a parameter and the {{*variable*}} object comes from 
> {{{}*findVariableDeclaration(name)*{}}}, likely locating the variable using 
> its name. {color}
>  
> {code:java}
>     @Override
>     public void visitFieldExpression(final FieldExpression expression) {
>         String name = expression.getFieldName();
>         //TODO: change that to get the correct scope
>         Variable variable = findVariableDeclaration(name);
>         checkVariableContextAccess(variable, expression);
>     }{code}
> Inside *checkVariableContextAccess* method *variable* is immediately 
> referenced in the call *variable.isInStaticContext()* without any kind of 
> null-checking.
> {code:java}
>     private void checkVariableContextAccess(final Variable variable, final 
> Expression expression) {
>         if (variable.isInStaticContext()) {
>             ...
>         }
>     } {code}
> But *findVariableDeclaration* returns null in cases where *name* equals super 
> or this. In these cases *variable.isInStaticContext()* will cause 
> {*}NullPointerException{*}.
> {code:java}
> private Variable findVariableDeclaration(final String name) {        
>      if ("super".equals(name) || "this".equals(name)) return null;    
>          ...                   
> } {code}
>  
> h3. Sponsorship and Support
> {color:#172b4d}This work is done by the security researchers from 
> OpenRefactory and is supported by the [Open Source Security Foundation 
> (OpenSSF)|https://openssf.org/]: [Project 
> Alpha-Omega|https://alpha-omega.dev/]. Alpha-Omega is a project partnering 
> with open source software project maintainers to systematically find new, 
> as-yet-undiscovered vulnerabilities in open source code - and get them fixed 
> - to improve global software supply chain security.{color}
> {color:#172b4d}The bug is found by running the iCR tool by [OpenRefactory, 
> Inc.|https://openrefactory.com/] and then manually triaging the 
> results.{color}
>  
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to