[ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
xiaoqin.fu updated THRIFT-4928: ------------------------------- Description: Operations: During Apache Thrift integration testing, I developed a calculator application with a client and a server. The client sent a computational command and get the result from the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths finally. The source: org.apache.thrift.transport.TIOStreamTransport: public int read(byte[] buf, int off, int len) throws TTransportException { if (inputStream_ == null) { throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null inputStream"); } int bytesRead; ...... bytesRead = inputStream_.read(buf, off, len); ...... } The sink: org.apache.thrift.transport.TTransport, public int readAll(byte[] buf, int off, int len) throws TTransportException { ...... if (ret <= 0) { throw new TTransportException( "Cannot read. Remote side has closed. Tried to read " + len + " bytes, but only got " + got + " bytes. (This is often indicative of an internal error on the server side. Please check your server logs.)"); } ...... } Sensitive information about expected and actual reading lengths (len, got) is leaked. The tainted path: org.apache.thrift.transport.TIOStreamTransport --> org.apache.thrift.transport.TTransport I am going to submit a CVE, so please confirm this is not a true positive. was: The source: org.apache.thrift.transport.TIOStreamTransport: public int read(byte[] buf, int off, int len) throws TTransportException { if (inputStream_ == null) { throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null inputStream"); } int bytesRead; ...... bytesRead = inputStream_.read(buf, off, len); ...... } The sink: org.apache.thrift.transport.TTransport, public int readAll(byte[] buf, int off, int len) throws TTransportException { ...... if (ret <= 0) { throw new TTransportException( "Cannot read. Remote side has closed. Tried to read " + len + " bytes, but only got " + got + " bytes. (This is often indicative of an internal error on the server side. Please check your server logs.)"); } ...... } Sensitive information about expected and actual reading lengths (len, got) is leaked. The tainted path: org.apache.thrift.transport.TIOStreamTransport --> org.apache.thrift.transport.TTransport > Sensitive information about expected and actual reading lengths (len, got) is > leaked from TIOStreamTransport to TTransport through a TTransportException > -------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: THRIFT-4928 > URL: https://issues.apache.org/jira/browse/THRIFT-4928 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.11.0, 0.12.0 > Environment: Ubuntu 16.04.3 LTS > Open JDK version "1.8.0_191" build 25.191-b12 > Reporter: xiaoqin.fu > Priority: Major > > Operations: During Apache Thrift integration testing, I developed a > calculator application with a client and a server. The client sent a > computational command and get the result from the server. After I applied > dynamic taint analyzer (distTaint), I found bugs from taint paths finally. > The source: org.apache.thrift.transport.TIOStreamTransport: > public int read(byte[] buf, int off, int len) throws TTransportException { > if (inputStream_ == null) { > throw new TTransportException(TTransportException.NOT_OPEN, "Cannot > read from null inputStream"); > } > int bytesRead; > ...... > bytesRead = inputStream_.read(buf, off, len); > ...... > } > > The sink: org.apache.thrift.transport.TTransport, > public int readAll(byte[] buf, int off, int len) > throws TTransportException { > ...... > if (ret <= 0) { > throw new TTransportException( > "Cannot read. Remote side has closed. Tried to read " > + len > + " bytes, but only got " > + got > + " bytes. (This is often indicative of an internal > error on the server side. Please check your server logs.)"); > } > ...... > } > Sensitive information about expected and actual reading lengths (len, got) > is leaked. > The tainted path: > org.apache.thrift.transport.TIOStreamTransport --> > org.apache.thrift.transport.TTransport > > I am going to submit a CVE, so please confirm this is not a true positive. -- This message was sent by Atlassian JIRA (v7.6.14#76016)