Please review and fix if needed.
Thanks
Bosco
On 10/19/17, 12:41 AM, "scan-ad...@coverity.com" <scan-ad...@coverity.com>
wrote:
Hi,
Please find the latest report on new defect(s) introduced to Apache Ranger
found with Coverity Scan.
6 new defect(s) introduced to Apache Ranger found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 168486: Code maintainability issues (UNUSED_VALUE)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
1606 in
org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService,
java.util.Map)()
________________________________________________________________________________________________________
*** CID 168486: Code maintainability issues (UNUSED_VALUE)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
1606 in
org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService,
java.util.Map)()
1600 }
1601
1602 if (StringUtils.equalsIgnoreCase(configKey,
CONFIG_KEY_PASSWORD)) {
1603 if
(StringUtils.equalsIgnoreCase(configValue, HIDDEN_PASSWORD_STR)) {
1604 String[] crypt_algo_array
= null;
1605 if
(configValue.contains(",")) {
>>> CID 168486: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "configValue.split(",")" to "crypt_algo_array"
here, but that stored value is overwritten before it can be used.
1606 crypt_algo_array =
configValue.split(",");
1607 }
1608 if (oldPassword != null &&
oldPassword.contains(",")) {
1609 String encryptKey =
null;
1610 String salt = null;
1611 int iterationCount = 0;
** CID 168485: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 212
in
org.apache.ranger.rest.PublicAPIsv2.updateService(org.apache.ranger.plugin.model.RangerService,
java.lang.Long, javax.servlet.http.HttpServletRequest)()
________________________________________________________________________________________________________
*** CID 168485: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 212
in
org.apache.ranger.rest.PublicAPIsv2.updateService(org.apache.ranger.plugin.model.RangerService,
java.lang.Long, javax.servlet.http.HttpServletRequest)()
206 }
207
208 @PUT
209 @Path("/api/service/{id}")
210
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()")
211 @Produces({ "application/json", "application/xml" })
>>> CID 168485: High impact security (CSRF)
>>> No CSRF protection was detected anywhere in this application. If
this is not correct, please refer to the CSRF checker reference on how to
specify it via checker option.
212 public RangerService updateService(RangerService service,
@PathParam("id") Long id,
213 @Context HttpServletRequest
request) {
214 // if service.id is specified, it should be same as the
param 'id'
215 if(service.getId() == null) {
216 service.setId(id);
217 } else if(!service.getId().equals(id)) {
** CID 168484: Incorrect expression (COPY_PASTE_ERROR)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
1625 in
org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService,
java.util.Map)()
________________________________________________________________________________________________________
*** CID 168484: Incorrect expression (COPY_PASTE_ERROR)
/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:
1625 in
org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService,
java.util.Map)()
1619 if
(!OLD_CRYPT_ALGO.equalsIgnoreCase(CRYPT_ALGO)) {
1620 String
decryptedPwd = PasswordUtils.decryptPassword(oldPassword);
1621 String
paddingString = CRYPT_ALGO + "," + encryptKey + "," + salt + "," +
iterationCount;
1622 String
encryptedPwd = PasswordUtils.encryptPassword(paddingString + "," +
decryptedPwd);
1623 String
newDecryptedPwd = PasswordUtils.decryptPassword(paddingString + "," +
encryptedPwd);
1624 if
(StringUtils.equals(newDecryptedPwd, decryptedPwd)) {
>>> CID 168484: Incorrect expression (COPY_PASTE_ERROR)
>>> "configValue" in "configValue = paddingString + "," + encryptedPwd"
looks like a copy-paste error.
1625
configValue = paddingString + "," + encryptedPwd;
1626 }
1627 } else {
1628
configValue = oldPassword;
1629 }
1630 } else {
** CID 168483: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java: 674
in
org.apache.ranger.rest.ServiceREST.updateService(org.apache.ranger.plugin.model.RangerService,
javax.servlet.http.HttpServletRequest)()
________________________________________________________________________________________________________
*** CID 168483: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java: 674
in
org.apache.ranger.rest.ServiceREST.updateService(org.apache.ranger.plugin.model.RangerService,
javax.servlet.http.HttpServletRequest)()
668 }
669
670 @PUT
671 @Path("/services/{id}")
672 @Produces({ "application/json", "application/xml" })
673
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" +
RangerAPIList.UPDATE_SERVICE + "\")")
>>> CID 168483: High impact security (CSRF)
>>> No CSRF protection was detected anywhere in this application. If
this is not correct, please refer to the CSRF checker reference on how to
specify it via checker option.
674 public RangerService updateService(RangerService service,
675 @Context HttpServletRequest
request) {
676 if(LOG.isDebugEnabled()) {
677 LOG.debug("==> ServiceREST.updateService(): " +
service);
678 }
679
** CID 168482: FindBugs: Bad practice (FB.NP_BOOLEAN_RETURN_NULL)
/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java:
179 in
org.apache.ranger.plugin.contextenricher.RangerTagEnricher$ResourceHierarchies.isValidHierarchy(int,
java.util.Collection)()
________________________________________________________________________________________________________
*** CID 168482: FindBugs: Bad practice (FB.NP_BOOLEAN_RETURN_NULL)
/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java:
179 in
org.apache.ranger.plugin.contextenricher.RangerTagEnricher$ResourceHierarchies.isValidHierarchy(int,
java.util.Collection)()
173 return
accessHierarchies.get(resourceKeys);
174 case RangerPolicy.POLICY_TYPE_DATAMASK:
175 return
dataMaskHierarchies.get(resourceKeys);
176 case RangerPolicy.POLICY_TYPE_ROWFILTER:
177 return
rowFilterHierarchies.get(resourceKeys);
178 default:
>>> CID 168482: FindBugs: Bad practice (FB.NP_BOOLEAN_RETURN_NULL)
>>>
org.apache.ranger.plugin.contextenricher.RangerTagEnricher$ResourceHierarchies.isValidHierarchy(int,
Collection) has Boolean return type and returns explicit null.
179 return null;
180 }
181 }
182
183 public void addHierarchy(int policyType,
Collection<String> resourceKeys, Boolean isValid) {
184 switch (policyType) {
** CID 168481: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 229
in
org.apache.ranger.rest.PublicAPIsv2.updateServiceByName(org.apache.ranger.plugin.model.RangerService,
java.lang.String, javax.servlet.http.HttpServletRequest)()
________________________________________________________________________________________________________
*** CID 168481: High impact security (CSRF)
/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 229
in
org.apache.ranger.rest.PublicAPIsv2.updateServiceByName(org.apache.ranger.plugin.model.RangerService,
java.lang.String, javax.servlet.http.HttpServletRequest)()
223
224
225 @PUT
226 @Path("/api/service/name/{name}")
227
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()")
228 @Produces({ "application/json", "application/xml" })
>>> CID 168481: High impact security (CSRF)
>>> No CSRF protection was detected anywhere in this application. If
this is not correct, please refer to the CSRF checker reference on how to
specify it via checker option.
229 public RangerService updateServiceByName(RangerService service,
230 @PathParam("name")
String name,
231 @Context
HttpServletRequest request) {
232 // ignore service.id - if specified. Retrieve using the
given name and use id from the retrieved object
233 RangerService existingService = getServiceByName(name);
234 service.setId(existingService.getId());
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZSbhom32dlDl11LWEm9nX11zsOWMf5dv3Q9Mogo-2FGua3FsLRTFft2V-2FOFC9o0P2e0-3D_d04ZgyDzSjlwpjXIuOFYDNE6R93Lal83MDClQK32PZvBHO2uwjTC6oI9AoOiQ09YnvCaB07X2Mc1Ny8XVCqNanWvrvYWabr8vco6TUsJRIUi8O2x5IMH-2B6NfPiBuleuleU781FvpPDROwijhyXOABRxpnEZlo-2BHLsIoCPc9Din38UMqTgg7SgSFIk2TeL3RctMLUmertVhpme3KA3Nvz-2FA-3D-3D
To manage Coverity Scan email notifications for "bo...@apache.org", click
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4HK0JLY-2BbZ-2FD0yvjg-2BbWSwquqqdEYtbR9nIDW-2BM81kI8TiABM2LsH3tiPfMWf-2FvOsjZSWngS5IRVC-2FH5Pl4zyaK1OE6Dh-2BhR6pXASEFJKZLM-3D_d04ZgyDzSjlwpjXIuOFYDNE6R93Lal83MDClQK32PZvBHO2uwjTC6oI9AoOiQ09YAsdhUvZc7pqtHqxomuPTo0eTkQdP3R4lAUEeTNI-2BhcoSG4P-2F-2BF8thE4wqg2wri9AV3u-2FuOXh-2FuBaXsFzcydWGPBxSgOc5sV3q6m1mmxTnLojmGATxugXbGNfGLc2mHR2kPl-2FmfvcZd86oXLL5ODfSA-3D-3D
