Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-19523

Discussion/Message stacktrace during penetration testing

    XMLWordPrintable

    Details

      Description

      During the penetration testing there was a stacktrace that came up for dicsussion. This seemed to be an NPE in message. Add a check and a message when this happens to see if it can be tracked back.

      NPE Introduced by:
      http://bugs.sakaiproject.org/browse/SAK-12650

      This is on the line: ./message/message-impl/impl/src/java/org/sakaiproject/message/impl/BaseMessageService.java
      872 MessageChannelEdit channel = m_storage.putChannel(ref);
      873
      874 // We distinctly log the creation of a channel - even though we check the
      875 // NEW for security - some might suggest that this should wait for the commit
      876 // But it has been added - so we should know this happenned one
      877 // way or another.
      878 Event event = m_eventTrackingService.newEvent(eventId(SECURE_CREATE), channel.getReference(), true);

      When channel is null (no null check). Needs to verify that putChannel is successful. And also put in some debugging to see what reference is breaking it. Can have this for the H build.

      putContainer can return null if there is a key conflict without any notice. I'm guessing this is where it's calling into.

      ./kernel-util/src/main/java/org/sakaiproject/util/BaseDbDoubleStorage.java
      . . .

      422 // process the insert
      423 boolean ok = m_sql.dbWrite(statement, fields);
      424
      425 // if this failed, assume a key conflict (i.e. id in use)
      426 if (!ok) return null;

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                Assignee:
                zqian Zhen Qian
                Reporter:
                zqian Zhen Qian
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Git Integration