[ https://issues.apache.org/jira/browse/GROOVY-11522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17898579#comment-17898579 ]
Zaki commented on GROOVY-11522: ------------------------------- Thanks [~paulk] for your response and test script. I assumed this probably wouldn't happen in normal use cases so I set the priority to minor. Nevertheless I wanted to bring it into your attention and let you decide if it is something you would want to fix. > Possible Null Pointer Dereference in VariableScopeVisitor.java > -------------------------------------------------------------- > > Key: GROOVY-11522 > URL: https://issues.apache.org/jira/browse/GROOVY-11522 > Project: Groovy > Issue Type: Bug > Reporter: Zaki > Priority: Minor > > h1. {color:#172b4d}Overview{color} > {color:#172b4d}In file: > [*VariableScopeVisitor.java*|https://github.com/apache/groovy/blob/master/src/main/java/org/codehaus/groovy/classgen/VariableScopeVisitor.java#L649], > there is a potential case of null pointer dereference. In method > {{*visitFieldExpression*}} inside class {{{}*VariableScopeVisitor*{}}}, there > is a call to {{*checkVariableContextAccess*}} which passes {{*variable*}} as > a parameter and the {{*variable*}} object comes from > {{{}*findVariableDeclaration(name)*{}}}, likely locating the variable using > its name. {color} > > {code:java} > @Override > public void visitFieldExpression(final FieldExpression expression) { > String name = expression.getFieldName(); > //TODO: change that to get the correct scope > Variable variable = findVariableDeclaration(name); > checkVariableContextAccess(variable, expression); > }{code} > Inside *checkVariableContextAccess* method *variable* is immediately > referenced in the call *variable.isInStaticContext()* without any kind of > null-checking. > {code:java} > private void checkVariableContextAccess(final Variable variable, final > Expression expression) { > if (variable.isInStaticContext()) { > ... > } > } {code} > But *findVariableDeclaration* returns null in cases where *name* equals super > or this. In these cases *variable.isInStaticContext()* will cause > {*}NullPointerException{*}. > {code:java} > private Variable findVariableDeclaration(final String name) { > if ("super".equals(name) || "this".equals(name)) return null; > ... > } {code} > > h3. Sponsorship and Support > {color:#172b4d}This work is done by the security researchers from > OpenRefactory and is supported by the [Open Source Security Foundation > (OpenSSF)|https://openssf.org/]: [Project > Alpha-Omega|https://alpha-omega.dev/]. Alpha-Omega is a project partnering > with open source software project maintainers to systematically find new, > as-yet-undiscovered vulnerabilities in open source code - and get them fixed > - to improve global software supply chain security.{color} > {color:#172b4d}The bug is found by running the iCR tool by [OpenRefactory, > Inc.|https://openrefactory.com/] and then manually triaging the > results.{color} > > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)