Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue() #33609

Closed
openrefactorymunawar opened this issue Sep 30, 2024 · 1 comment
Closed

Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue() #33609

openrefactorymunawar opened this issue Sep 30, 2024 · 1 comment
Assignees
@jhoeller
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone
6.1.14

Comments

@openrefactorymunawar
Copy link

Summary

In your repository (MAVENorg.springframework:spring-web @ 6.1.12), we have found a bug that may require your attention.

In file: AbstractNamedValueArgumentResolver.java, class: KotlinDelegate, method: hasDefaultValue, there is a potential Null pointer dereference at:

spring-framework/spring-webflux/src/main/java/org/springframework/web/reactive/result/method/annotation/AbstractNamedValueArgumentResolver.java

Line 341 in 3476425

Method method = Objects.requireNonNull(parameter.getMethod());

In other places of the code (e.g.,

spring-framework/spring-core/src/main/java/org/springframework/core/MethodParameter.java

Line 513 in d79258a

Method method = getMethod();
or

spring-framework/spring-core/src/main/java/org/springframework/core/MethodParameter.java

Line 774 in d79258a

Method method = getMethod();
), the return value of the getMethod method was checked for null value. But if we put it directly inside Objects.requireNonNull, we may have an exception.

A potential fix will be to replace the following line

Method method = Objects.requireNonNull(parameter.getMethod());

with

Method method = parameter.getMethod();
if (method == null) {
    return false;
}

Another option could be to use Objects.requireNonNullElse.

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Sep 30, 2024
@jhoeller jhoeller added in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Sep 30, 2024
@jhoeller jhoeller self-assigned this Sep 30, 2024
@jhoeller jhoeller added this to the 6.1.14 milestone Sep 30, 2024
@jhoeller
Copy link
Contributor

Good catch, this is worth turning into a more defensive check within that local delegate (also in the equivalent code in AbstractNamedValueMethodArgumentResolver for Spring MVC). That said, in practice it is not an actual bug since all current invocation scenarios are method-based anyway.

@jhoeller jhoeller changed the title Potential null pointer dereference where a null check should be added Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue Sep 30, 2024
@jhoeller jhoeller changed the title Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue() Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhoeller jhoeller

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Milestone
6.1.14
Development

No branches or pull requests
3 participants
@jhoeller @spring-projects-issues @openrefactorymunawar