matthiasblaesing commented on a change in pull request #3765:
URL: https://github.com/apache/netbeans/pull/3765#discussion_r837667479
##########
File path:
java/java.lsp.server/src/org/netbeans/modules/java/lsp/server/db/DBAddConnection.java
##########
@@ -66,12 +70,66 @@
@ServiceProvider(service = CodeActionsProvider.class)
public class DBAddConnection extends CodeActionsProvider {
public static final String DB_ADD_CONNECTION = "db.add.connection"; //
NOI18N
+ public static final String USER_ID = "userId"; // NOI18N
+ public static final String PASSWORD = "password"; // NOI18N
+ public static final String DRIVER = "driver"; // NOI18N
+ public static final String DB_URL = "url"; // NOI18N
+ public static final String SCHEMA = "schema"; // NOI18N
+ public static final String DISPLAY_NAME = "displayName"; // NOI18N
+
+ private static final Set<String> COMMANDS = new
HashSet<>(Arrays.asList(DB_ADD_CONNECTION));
+
+ private final Gson gson = new Gson();
@Override
public CompletableFuture<Object> processCommand(NbCodeLanguageClient
client, String command, List<Object> arguments) {
if (!DB_ADD_CONNECTION.equals(command)) {
return null;
}
+
+ String userId = null;
+ String dbUrl = null;
+ String driverClass = null;
+
+ final Map m = gson.fromJson(gson.toJson(arguments.get(0)), Map.class);
+ if (m != null) {
+ userId = (String) m.get(USER_ID);
+ dbUrl = (String) m.get(DB_URL);
+ driverClass = (String) m.get(DRIVER);
+
+ }
+ if (dbUrl != null && driverClass != null) {
+
+ JDBCDriver[] driver =
JDBCDriverManager.getDefault().getDrivers(driverClass); //NOI18N
+ if (driver != null && driver.length > 0) {
+ CompletableFuture<String> usernameFuture = userId != null ?
CompletableFuture.completedFuture(userId) : client.showInputBox(new
ShowInputBoxParams(
+ Bundle.MSG_EnterUsername(), userId));
+
+ usernameFuture.thenAccept((username) -> { //NOI18N
+ if (username == null) {
+ return;
+ }
+ char[] password = m.get(PASSWORD) == null ? null
+ : ((List<Double>) m.get(PASSWORD)).stream().map(n
-> Character.toString((char)
n.byteValue())).collect(Collectors.joining()).toCharArray();
Review comment:
The still unresolved question is: What is the client sending here? How
is the array of `number` generated? Storing a password in an array of `number`
will need a definition how the password must be encoded, so where is the that
defined? I still claim, that you destroy all characters outside the first 255
codepoints.
I just noticed this:
https://github.com/apache/netbeans/blob/687529a07a3cf3bfe59afbdfffaada355a48cf86/java/java.lsp.server/src/org/netbeans/modules/java/lsp/server/db/DBAddConnection.java#L116
So even if I buy the argument that it is somehow saver to store a password
in a char array, so that it can be cleared on the heap, here a string is
explicitly constructed. So this whole argument vanishes.
With this code, just encode the password as string and be done with it. I
see _no_ argument to force the password into a number array.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
