(commons-net) branch master updated: Fix SpotBugs CT_CONSTRUCTOR_THROW in Base64 by implementing finalize() as a noop to avoid finalizer attacks

Thu, 20 Jun 2024 18:04:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git


The following commit(s) were added to refs/heads/master by this push:
     new 228685b8 Fix SpotBugs CT_CONSTRUCTOR_THROW in Base64 by implementing 
finalize() as a noop to avoid finalizer attacks
228685b8 is described below

commit 228685b88525cad367cef207bb8a860a8ff74a74
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Thu Jun 20 21:04:09 2024 -0400

    Fix SpotBugs CT_CONSTRUCTOR_THROW in Base64 by implementing finalize()
    as a noop to avoid finalizer attacks
    
    - [ERROR] Medium: Exception thrown in class
    org.apache.commons.net.util.Base64 at new
    org.apache.commons.net.util.Base64(int, byte[]) will leave the
    constructor. The object under construction remains partially initialized
    and may be vulnerable to Finalizer attacks.
    [org.apache.commons.net.util.Base64, org.apache.commons.net.util.Base64]
    At Base64.java:[line 523]At Base64.java:[line 523] CT_CONSTRUCTOR_THROW
    
    - [ERROR] Medium: Exception thrown in class
    org.apache.commons.net.util.Base64 at new
    org.apache.commons.net.util.Base64(int, byte[], boolean) will leave the
    constructor. The object under construction remains partially initialized
    and may be vulnerable to Finalizer attacks.
    [org.apache.commons.net.util.Base64, org.apache.commons.net.util.Base64]
    At Base64.java:[line 556]At Base64.java:[line 556] CT_CONSTRUCTOR_THROW
    
    - [ERROR] Medium: Exception thrown in class
    org.apache.commons.net.util.Base64 at new
    org.apache.commons.net.util.Base64(boolean) will leave the constructor.
    The object under construction remains partially initialized and may be
    vulnerable to Finalizer attacks. [org.apache.commons.net.util.Base64,
    org.apache.commons.net.util.Base64] At Base64.java:[line 481]At
    Base64.java:[line 481] CT_CONSTRUCTOR_THROW
---
 src/changes/changes.xml                               | 1 +
 src/main/java/org/apache/commons/net/util/Base64.java | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 503cb4f8..19078f0f 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -78,6 +78,7 @@ The <action> type attribute can be add,update,fix,remove.
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Fix PMD 
UnnecessaryModifier.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Deprecate 
MLSxEntryParser default constructor in favor of 
MLSxEntryParser.getInstance().</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Deprecate direct 
access to org.apache.commons.net.nntp.Article.kid and next fields.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">Fix SpotBugs 
CT_CONSTRUCTOR_THROW in Base64 by implementing finalize() as a noop to avoid 
finalizer attacks.</action>
       <!-- ADD -->
       <action type="add" dev="ggregory" due-to="Gary 
Gregory">org.apache.commons.net.nntp.Article#getChild().</action>
       <action type="add" dev="ggregory" due-to="Gary 
Gregory">org.apache.commons.net.nntp.Article#getNext().</action>
diff --git a/src/main/java/org/apache/commons/net/util/Base64.java 
b/src/main/java/org/apache/commons/net/util/Base64.java
index 9880ac0e..72e9857c 100644
--- a/src/main/java/org/apache/commons/net/util/Base64.java
+++ b/src/main/java/org/apache/commons/net/util/Base64.java
@@ -600,6 +600,11 @@ public class Base64 {
         return newStringUtf8(encode(source));
     }
 
+    @Override
+    public final void finalize() {
+        // CT: Be wary of letting constructors throw exceptions. 
(CT_CONSTRUCTOR_THROW)
+    }
+
     int getLineLength() {
         return lineLength;
     }

Reply via email to