Please review and fix if needed. Thanks
Bosco On 10/19/17, 12:41 AM, "scan-ad...@coverity.com" <scan-ad...@coverity.com> wrote: Hi, Please find the latest report on new defect(s) introduced to Apache Ranger found with Coverity Scan. 6 new defect(s) introduced to Apache Ranger found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 6 of 6 defect(s) ** CID 168486: Code maintainability issues (UNUSED_VALUE) /security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java: 1606 in org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService, java.util.Map)() ________________________________________________________________________________________________________ *** CID 168486: Code maintainability issues (UNUSED_VALUE) /security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java: 1606 in org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService, java.util.Map)() 1600 } 1601 1602 if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { 1603 if (StringUtils.equalsIgnoreCase(configValue, HIDDEN_PASSWORD_STR)) { 1604 String[] crypt_algo_array = null; 1605 if (configValue.contains(",")) { >>> CID 168486: Code maintainability issues (UNUSED_VALUE) >>> Assigning value from "configValue.split(",")" to "crypt_algo_array" here, but that stored value is overwritten before it can be used. 1606 crypt_algo_array = configValue.split(","); 1607 } 1608 if (oldPassword != null && oldPassword.contains(",")) { 1609 String encryptKey = null; 1610 String salt = null; 1611 int iterationCount = 0; ** CID 168485: High impact security (CSRF) /security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 212 in org.apache.ranger.rest.PublicAPIsv2.updateService(org.apache.ranger.plugin.model.RangerService, java.lang.Long, javax.servlet.http.HttpServletRequest)() ________________________________________________________________________________________________________ *** CID 168485: High impact security (CSRF) /security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 212 in org.apache.ranger.rest.PublicAPIsv2.updateService(org.apache.ranger.plugin.model.RangerService, java.lang.Long, javax.servlet.http.HttpServletRequest)() 206 } 207 208 @PUT 209 @Path("/api/service/{id}") 210 @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") 211 @Produces({ "application/json", "application/xml" }) >>> CID 168485: High impact security (CSRF) >>> No CSRF protection was detected anywhere in this application. If this is not correct, please refer to the CSRF checker reference on how to specify it via checker option. 212 public RangerService updateService(RangerService service, @PathParam("id") Long id, 213 @Context HttpServletRequest request) { 214 // if service.id is specified, it should be same as the param 'id' 215 if(service.getId() == null) { 216 service.setId(id); 217 } else if(!service.getId().equals(id)) { ** CID 168484: Incorrect expression (COPY_PASTE_ERROR) /security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java: 1625 in org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService, java.util.Map)() ________________________________________________________________________________________________________ *** CID 168484: Incorrect expression (COPY_PASTE_ERROR) /security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java: 1625 in org.apache.ranger.biz.ServiceDBStore.updateService(org.apache.ranger.plugin.model.RangerService, java.util.Map)() 1619 if (!OLD_CRYPT_ALGO.equalsIgnoreCase(CRYPT_ALGO)) { 1620 String decryptedPwd = PasswordUtils.decryptPassword(oldPassword); 1621 String paddingString = CRYPT_ALGO + "," + encryptKey + "," + salt + "," + iterationCount; 1622 String encryptedPwd = PasswordUtils.encryptPassword(paddingString + "," + decryptedPwd); 1623 String newDecryptedPwd = PasswordUtils.decryptPassword(paddingString + "," + encryptedPwd); 1624 if (StringUtils.equals(newDecryptedPwd, decryptedPwd)) { >>> CID 168484: Incorrect expression (COPY_PASTE_ERROR) >>> "configValue" in "configValue = paddingString + "," + encryptedPwd" looks like a copy-paste error. 1625 configValue = paddingString + "," + encryptedPwd; 1626 } 1627 } else { 1628 configValue = oldPassword; 1629 } 1630 } else { ** CID 168483: High impact security (CSRF) /security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java: 674 in org.apache.ranger.rest.ServiceREST.updateService(org.apache.ranger.plugin.model.RangerService, javax.servlet.http.HttpServletRequest)() ________________________________________________________________________________________________________ *** CID 168483: High impact security (CSRF) /security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java: 674 in org.apache.ranger.rest.ServiceREST.updateService(org.apache.ranger.plugin.model.RangerService, javax.servlet.http.HttpServletRequest)() 668 } 669 670 @PUT 671 @Path("/services/{id}") 672 @Produces({ "application/json", "application/xml" }) 673 @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")") >>> CID 168483: High impact security (CSRF) >>> No CSRF protection was detected anywhere in this application. If this is not correct, please refer to the CSRF checker reference on how to specify it via checker option. 674 public RangerService updateService(RangerService service, 675 @Context HttpServletRequest request) { 676 if(LOG.isDebugEnabled()) { 677 LOG.debug("==> ServiceREST.updateService(): " + service); 678 } 679 ** CID 168482: FindBugs: Bad practice (FB.NP_BOOLEAN_RETURN_NULL) /agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java: 179 in org.apache.ranger.plugin.contextenricher.RangerTagEnricher$ResourceHierarchies.isValidHierarchy(int, java.util.Collection)() ________________________________________________________________________________________________________ *** CID 168482: FindBugs: Bad practice (FB.NP_BOOLEAN_RETURN_NULL) /agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java: 179 in org.apache.ranger.plugin.contextenricher.RangerTagEnricher$ResourceHierarchies.isValidHierarchy(int, java.util.Collection)() 173 return accessHierarchies.get(resourceKeys); 174 case RangerPolicy.POLICY_TYPE_DATAMASK: 175 return dataMaskHierarchies.get(resourceKeys); 176 case RangerPolicy.POLICY_TYPE_ROWFILTER: 177 return rowFilterHierarchies.get(resourceKeys); 178 default: >>> CID 168482: FindBugs: Bad practice (FB.NP_BOOLEAN_RETURN_NULL) >>> org.apache.ranger.plugin.contextenricher.RangerTagEnricher$ResourceHierarchies.isValidHierarchy(int, Collection) has Boolean return type and returns explicit null. 179 return null; 180 } 181 } 182 183 public void addHierarchy(int policyType, Collection<String> resourceKeys, Boolean isValid) { 184 switch (policyType) { ** CID 168481: High impact security (CSRF) /security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 229 in org.apache.ranger.rest.PublicAPIsv2.updateServiceByName(org.apache.ranger.plugin.model.RangerService, java.lang.String, javax.servlet.http.HttpServletRequest)() ________________________________________________________________________________________________________ *** CID 168481: High impact security (CSRF) /security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java: 229 in org.apache.ranger.rest.PublicAPIsv2.updateServiceByName(org.apache.ranger.plugin.model.RangerService, java.lang.String, javax.servlet.http.HttpServletRequest)() 223 224 225 @PUT 226 @Path("/api/service/name/{name}") 227 @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()") 228 @Produces({ "application/json", "application/xml" }) >>> CID 168481: High impact security (CSRF) >>> No CSRF protection was detected anywhere in this application. If this is not correct, please refer to the CSRF checker reference on how to specify it via checker option. 229 public RangerService updateServiceByName(RangerService service, 230 @PathParam("name") String name, 231 @Context HttpServletRequest request) { 232 // ignore service.id - if specified. Retrieve using the given name and use id from the retrieved object 233 RangerService existingService = getServiceByName(name); 234 service.setId(existingService.getId()); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZSbhom32dlDl11LWEm9nX11zsOWMf5dv3Q9Mogo-2FGua3FsLRTFft2V-2FOFC9o0P2e0-3D_d04ZgyDzSjlwpjXIuOFYDNE6R93Lal83MDClQK32PZvBHO2uwjTC6oI9AoOiQ09YnvCaB07X2Mc1Ny8XVCqNanWvrvYWabr8vco6TUsJRIUi8O2x5IMH-2B6NfPiBuleuleU781FvpPDROwijhyXOABRxpnEZlo-2BHLsIoCPc9Din38UMqTgg7SgSFIk2TeL3RctMLUmertVhpme3KA3Nvz-2FA-3D-3D To manage Coverity Scan email notifications for "bo...@apache.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4HK0JLY-2BbZ-2FD0yvjg-2BbWSwquqqdEYtbR9nIDW-2BM81kI8TiABM2LsH3tiPfMWf-2FvOsjZSWngS5IRVC-2FH5Pl4zyaK1OE6Dh-2BhR6pXASEFJKZLM-3D_d04ZgyDzSjlwpjXIuOFYDNE6R93Lal83MDClQK32PZvBHO2uwjTC6oI9AoOiQ09YAsdhUvZc7pqtHqxomuPTo0eTkQdP3R4lAUEeTNI-2BhcoSG4P-2F-2BF8thE4wqg2wri9AV3u-2FuOXh-2FuBaXsFzcydWGPBxSgOc5sV3q6m1mmxTnLojmGATxugXbGNfGLc2mHR2kPl-2FmfvcZd86oXLL5ODfSA-3D-3D