During the penetration testing there was a stacktrace that came up for dicsussion. This seemed to be an NPE in message. Add a check and a message when this happens to see if it can be tracked back.
NPE Introduced by:
This is on the line: ./message/message-impl/impl/src/java/org/sakaiproject/message/impl/BaseMessageService.java
872 MessageChannelEdit channel = m_storage.putChannel(ref);
874 // We distinctly log the creation of a channel - even though we check the
875 // NEW for security - some might suggest that this should wait for the commit
876 // But it has been added - so we should know this happenned one
877 // way or another.
878 Event event = m_eventTrackingService.newEvent(eventId(SECURE_CREATE), channel.getReference(), true);
When channel is null (no null check). Needs to verify that putChannel is successful. And also put in some debugging to see what reference is breaking it. Can have this for the H build.
putContainer can return null if there is a key conflict without any notice. I'm guessing this is where it's calling into.
. . .
422 // process the insert
423 boolean ok = m_sql.dbWrite(statement, fields);
425 // if this failed, assume a key conflict (i.e. id in use)
426 if (!ok) return null;