[GitHub] [hadoop] containerAnalyzer opened a new pull request #3164: Fix NPE in Find.java

Thu, 01 Jul 2021 01:12:58 -0700 


containerAnalyzer opened a new pull request #3164:
URL: https://github.com/apache/hadoop/pull/3164


   Hello,
   Our static analyzer found a following potential NPE. We have checked the 
feasibility of this execution trace. It is necessary to defend this 
vulnerability to improve the code quality. We have provided the patch for you. 
Please check and confirm it.
   
   Here is the bug trace.
   
   1. Select the false branch at this point (expressionClass==null is true), 
and null assigned to instance
   
https://github.com/apache/hadoop/blob/986d0a4f1d5543fa0b4f5916729728f78b4acec9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/find/ExpressionFactory.java#L129-L133
   
   2. Return instance to caller, which can be null (The return value can be 
null)
   
https://github.com/apache/hadoop/blob/986d0a4f1d5543fa0b4f5916729728f78b4acec9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/find/ExpressionFactory.java#L133
   
   3. Function createExpression executes and stores the return value to expr 
(expr can be null)
   
https://github.com/apache/hadoop/blob/986d0a4f1d5543fa0b4f5916729728f78b4acec9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/find/Find.java#L113
   
   4. Function add executes and primaries contains null value
   
https://github.com/apache/hadoop/blob/986d0a4f1d5543fa0b4f5916729728f78b4acec9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/find/Find.java#L117
   
   5. Function next executes and stores the return value to expr (expr can be 
null)
   
https://github.com/apache/hadoop/blob/986d0a4f1d5543fa0b4f5916729728f78b4acec9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/find/Find.java#L139
   
   6. expr is passed as the this pointer to function getUsage (expr can be 
null), which will leak to null pointer dereference
   
https://github.com/apache/hadoop/blob/986d0a4f1d5543fa0b4f5916729728f78b4acec9/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/shell/find/Find.java#L140
   
   
   Commit: 986d0a4f1d5543fa0b4f5916729728f78b4acec9
   
   
   
   
   ContainerAnalyzer


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to