Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-954

Coverity static analysis, Dereference null return value, OAuth2CredentialSource (Elytron)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 1.1.0.Beta26
    • None
    • Credential Store
    • None

      Coverity found possible dereferencing of null value returned from resolveSSLContext() in openConnection()

      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=9564099&defectInstanceId=2359300&mergedDefectId=1389514

      OAuth2CredentialSource.java
          private SSLContext resolveSSLContext() {
        if (!isHttps(tokenEndpointUri)) {
            return null;
        }
        return sslContextSupplier == null ? null : sslContextSupplier.get();
    }

    private HttpURLConnection openConnection() throws IOException {
        log.debugf("Opening connection to [%s]", tokenEndpointUri);
        HttpURLConnection connection = (HttpURLConnection) tokenEndpointUri.openConnection();

        if (isHttps(tokenEndpointUri)) {
            HttpsURLConnection https = (HttpsURLConnection) connection;

            https.setSSLSocketFactory(resolveSSLContext().getSocketFactory());
            if (hostnameVerifierSupplier != null) {
                https.setHostnameVerifier(checkNotNullParam("hostnameVerifier", hostnameVerifierSupplier.get()));
            }
        }

        return connection;
    }

      NPE could probably happen if oauth2-introspection is configured with no client-ssl-context and https introspection-url.

            rhn-support-ivassile Ilia Vassilev
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: