You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In file: TimeStampRequest.java, there is a potential case of null pointer dereference. In method validate(), there is a call to convert(), which returns null if parameter orig is null.
privateSetconvert(Setorig)
{
if (orig == null)
{
returnorig; // Returns null if input is null
}
Setcon = newHashSet(orig.size());
// Rest of the code ...
}
publicvoidvalidate(
Setalgorithms,
Setpolicies,
Setextensions)
throwsTSPException
{
algorithms = convert(algorithms);
policies = convert(policies);
extensions = convert(extensions);
if (!algorithms.contains(this.getMessageImprintAlgOID()))
{
thrownewTSPValidationException("request contains unknown algorithm", PKIFailureInfo.badAlg);
}
// Rest of the code...
}
In the validate() method, this null return value is not checked before use:
if (!algorithms.contains(this.getMessageImprintAlgOID()))
{
thrownewTSPValidationException("request contains unknown algorithm", PKIFailureInfo.badAlg);
}
So, when algorithms.contains() is called, a NullPointerException will be thrown. This creates a reliability issue and could potentially be used to bypass validation checks.
So, a possible fix can be, to add a proper null-check before use, as it's already done for policies and extensions:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
The text was updated successfully, but these errors were encountered:
What happened?
In file: TimeStampRequest.java, there is a potential case of null pointer dereference. In method validate(), there is a call to convert(), which returns null if parameter
origis null.In the
validate()method, this null return value is not checked before use:So, when
algorithms.contains()is called, a NullPointerException will be thrown. This creates a reliability issue and could potentially be used to bypass validation checks.So, a possible fix can be, to add a proper null-check before use, as it's already done for
policiesandextensions:Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
The text was updated successfully, but these errors were encountered: