Skip to content

Added validation and exception handling in readAttribute #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Shivam7-1 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added validation and exception handling in readAttribute #405

Shivam7-1 wants to merge 2 commits into from

Conversation

@Shivam7-1
Copy link

@Shivam7-1 Shivam7-1 commented Jan 28, 2025

Issue link: https://issues.oss-fuzz.com/issues/375660994
Added validation for attribute name and length in readAttribute method to prevent security exceptions. This change ensures that invalid or malformed attributes are handled properly, enhancing the robustness and security of the library.

Before you push a pull request, review this list:

  • Read the contribution guidelines for this project.
  • Run a successful build using the default Maven goal with mvn; that's mvn on the command line by itself.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. This may not always be possible but is a best-practice.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body. Note that commits might be squashed by a maintainer on merge.

@garydgregory
Copy link
Member

garydgregory commented Feb 1, 2025

Hello @Shivam7-1

You'll need to add a unit test that fails without the changes to 'main'. It looks like the indentation is messed up.

Ty.

@Shivam7-1
Copy link
Author

Shivam7-1 commented Feb 1, 2025

Hii @garydgregory Thanks for response done this

garydgregory
garydgregory requested changes Feb 1, 2025
View reviewed changes
Copy link
Member

@garydgregory garydgregory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Shivam7-1

You did not follow the instructions in the PR template: Run mvn by itself and fix all errors. The PR title is confusing: The PR doesn't handle any exceptions, it throws exceptions for validation failures.

See my scattered comments as well.

Overall, I'm not sure if this PR is needed: If I apply the test side of the patch, I get ClassFormatExceptions already for the new tests.

Looking at the method, you could see where an NPE could happen but that's not what the tests cause.

src/main/java/org/apache/bcel/classfile/Attribute.java
*/
package org.apache.bcel.classfile;

import java.security.InvalidParameterException;
Copy link
Member

@garydgregory garydgregory Feb 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change has nothing to do with JCA or JCE, so java.security.InvalidParameterException is the wrong type. We define ClassFormatException for this very purpose. Examine the reset of the code base for examples.

src/main/java/org/apache/bcel/classfile/Attribute.java
final String name = constantPool.getConstantUtf8(nameIndex).getBytes();

// Validate name
if (name == null || name.isEmpty()) {
Copy link
Member

@garydgregory garydgregory Feb 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reuse StringUtils.isEmpty().

src/main/java/org/apache/bcel/classfile/Attribute.java

// Call proper constructor, depending on 'tag'
switch (tag) {
// Call proper constructor, depending on 'tag'
Copy link
Member

@garydgregory garydgregory Feb 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The indentation is still messed up, no need to change it.

src/test/java/org/apache/bcel/data/readAttributeTest.java
import org.apache.bcel.classfile.ConstantPool;
import org.junit.jupiter.api.Test;

public class readAttributeTest {
Copy link
Member

@garydgregory garydgregory Feb 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Class name does not follow Java conventions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garydgregory garydgregory garydgregory requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shivam7-1 @garydgregory