Tags: GESoftware-CF/uaa
Tags
Merge pull request #625 from GESoftware-CF/predix_extensions_75.18.1 Predix extensions 75.18.1 - Correcting color change for manual setup page to black color
Merge SAST fixes in predix_extensions_75.6.0 into rc_75.6.0 (#270) * Update version from 75.0.0 to 75.6.0 (#257) This gets displayed in the web UI and also gets used to set version in documentation generated via slate. But delete the slate versionfile as it is is dynamically generated during build and is in .gitignore. This was probably accidentally added in commit 642770c * Fix missing correlation ID in log messages (#256) In addition to Predix Spring Log Filter, it enables UAA to populate the corr field of the log using the 'traceId' attribute of the SLF4J MDC: predix/spring-log-filter@49d6ecd. Note, spring-cloud-sleuth (Reference: https://cloud.spring.io/spring-cloud-sleuth) doesn't seem to do this as expected. Since UAA is "spring boot wannabe", sleuth doesn't correctly instrument UAA beans for distributed tracing. Spring-cloud-sleuth is boot based and only works with spring boot applications. * Fix possible null deference in JsonWebKeyDeserializer Rather than have the deserialization throw a null pointer exception, make it return null as it already does in other cases. * Fix possible null dereference in JdbcExpiringCodeStore If code is null, then return null, rather than throw a null pointer exception when trying to get timestamp from null code. * Refactor common code in JdbcExpiringCodeStore functions peek and retrieve code functions are exactly the same except for database update being done only when retrieving and not when peeking. * Check nonce/salt length in EncryptionService:decrypt Make sure the nonce and salt read from the encrypted data is of the right length as the lengths are also used as offset to the actual encrypted payload that gets decrypted. * Synchronize context destroy in DynamicLdapAuthenticationManager Application context creation is synchronized, so it makes sense to synchronize destruction too to avoid multiple threads conflicting when destroying contexts. * Fix possible null dereference in InvitationsController If code is null for whatever reason (error when generating or retrieving, or actually expired), return an error response rather than throw a null pointer exception. * Fix possible null dereference in TotpMfaEndpoint Redirect to login screen by raising a handled exception, rather than raise a null pointer exception (see getUaaAuthentication in validateCode that can return null before this change), if authentication can not be obtained from security context, as is done if principal can not be obtained from authentication. * Fix high/medium coverity issues - Part II (#267) * Fix possible null dereference in UaaAuthorizationEndpoint If the host name (used as origin) can not be extracted from the redirect URI for whatever reason, a null pointer exception will get thrown. Instead, return a 'Bad Request' response if the host extraction fails. * Fix possible null dereference in UaaTokenStore Parsing authentiction from token might result in a null map that might result in a null pointer exception. Instead, check for null, and raise an InvalidGrantException if the parsing fails and a null is returned. * Fix possible null dereference in RefreshTokenCreator Move dereference of user into block that checks user for null to prevent null pointer exceptions. * Fix possible null dereference in IdentityProviderEndpoints Identity provider retrieved is checked for null in DELETE handler, in PATCH handler (but only in a patch function), and also in ExternalOAuthProviderConfigurator:retrieve. This checking seems unnecessary as JdbcIdentityProviderProvisioning:retrieve should throw an EmptyResultDataAccessException rather than return null if the identity provider isn't found. But rather than remove null checks and introduce potential null pointer exceptions, add null checks in PUT, PATCH, and GET handlers. If identity provider is not found, return 404 Not Found for GET requests (by throwing EmptyResultDataAccessException), and 422 Unprocessable Entity for PUT/PATCH requests as is done for DELETE requests. Add/update unit tests. * Fix possible null dereference in PasswordComparisonAuthenticator Move check for `attr` being null to be before it gets dereferenced. Also remove subsequent check for null for `attr`. * Clean up unncessary code in PasswordComparisonAuthenticator instanceof check is enough for null check too. Return value is not being used by any (just one) calling function. * Fix possible null dereference in IdpInitiatedLoginController Rather than dereference a null entity descriptor, check for null and raise an exception that will get handled by the caller. * Fix possible null dereference in NonSnarlIdpMetadataManager Check for metadata for null in getHostedSpName before dereferencing. If metadata is null, throw a MetadataProviderException which will get handled by the only calling function. * Fix possible null dereferences in ScimUserBootstrap AuthEvent handling might result in null dereference if fetch of SCIM user fails when trying to update SCIM user. If SCIM user fetch fails, and the user is null, throw an explicit RuntimeException as is done in another handler, rather than have a NullPointerException get thrown when the null user is dereferenced. Co-authored-by: irinaepshteyn <irina.epshteyn1@ge.com>
PreviousNext