[
https://issues.apache.org/jira/browse/GROOVY-11522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17898566#comment-17898566
]
Paul King commented on GROOVY-11522:
------------------------------------
Thanks Zaki, that is an interesting case. The Groovy grammar doesn't let you
input programs where field names are "super" or "this", so I don't believe
normal developers using Groovy could ever trigger that NPE.
Groovy does allow folks to write AST transforms, and while adding a field
programmatically called "this" or "super" would be considered dangerous, we
might want to add an additional guard for that case - or we could disallow such
additions. Here is a test script showing that scenario:
{code:groovy}
import org.codehaus.groovy.ast.*
import org.codehaus.groovy.ast.expr.FieldExpression
import org.codehaus.groovy.control.SourceUnit
import org.codehaus.groovy.classgen.VariableScopeVisitor
import static groovyjarjarasm.asm.Opcodes.ACC_PUBLIC
def myClass = new ClassNode("MyClass", ACC_PUBLIC, ClassHelper.OBJECT_TYPE)
def myField = new FieldNode("super", ACC_PUBLIC, ClassHelper.OBJECT_TYPE, null,
null)
myClass.addField(myField)
def su = SourceUnit.create('dummy', '')
def vsv = new VariableScopeVisitor(su)
def fieldX = new FieldExpression(myField)
vsv.visitFieldExpression(fieldX)
{code}
with exception:
{noformat}
java.lang.NullPointerException
at
org.codehaus.groovy.classgen.VariableScopeVisitor.checkVariableContextAccess(VariableScopeVisitor.java:336)
at
org.codehaus.groovy.classgen.VariableScopeVisitor.visitFieldExpression(VariableScopeVisitor.java:560)
...
{noformat}
I wouldn't regard it as high priority given that it isn't something we'd ever
expect in real-life scenarios - but probably worth addressing in any case.
> Possible Null Pointer Dereference in VariableScopeVisitor.java
> --------------------------------------------------------------
>
> Key: GROOVY-11522
> URL: https://issues.apache.org/jira/browse/GROOVY-11522
> Project: Groovy
> Issue Type: Bug
> Reporter: Zaki
> Priority: Minor
>
> h1. {color:#172b4d}Overview{color}
> {color:#172b4d}In file:
> [*VariableScopeVisitor.java*|https://github.com/apache/groovy/blob/master/src/main/java/org/codehaus/groovy/classgen/VariableScopeVisitor.java#L649],
> there is a potential case of null pointer dereference. In method
> {{*visitFieldExpression*}} inside class {{{}*VariableScopeVisitor*{}}}, there
> is a call to {{*checkVariableContextAccess*}} which passes {{*variable*}} as
> a parameter and the {{*variable*}} object comes from
> {{{}*findVariableDeclaration(name)*{}}}, likely locating the variable using
> its name. {color}
>
> {code:java}
> @Override
> public void visitFieldExpression(final FieldExpression expression) {
> String name = expression.getFieldName();
> //TODO: change that to get the correct scope
> Variable variable = findVariableDeclaration(name);
> checkVariableContextAccess(variable, expression);
> }{code}
> Inside *checkVariableContextAccess* method *variable* is immediately
> referenced in the call *variable.isInStaticContext()* without any kind of
> null-checking.
> {code:java}
> private void checkVariableContextAccess(final Variable variable, final
> Expression expression) {
> if (variable.isInStaticContext()) {
> ...
> }
> } {code}
> But *findVariableDeclaration* returns null in cases where *name* equals super
> or this. In these cases *variable.isInStaticContext()* will cause
> {*}NullPointerException{*}.
> {code:java}
> private Variable findVariableDeclaration(final String name) {
> if ("super".equals(name) || "this".equals(name)) return null;
> ...
> } {code}
>
> h3. Sponsorship and Support
> {color:#172b4d}This work is done by the security researchers from
> OpenRefactory and is supported by the [Open Source Security Foundation
> (OpenSSF)|https://openssf.org/]: [Project
> Alpha-Omega|https://alpha-omega.dev/]. Alpha-Omega is a project partnering
> with open source software project maintainers to systematically find new,
> as-yet-undiscovered vulnerabilities in open source code - and get them fixed
> - to improve global software supply chain security.{color}
> {color:#172b4d}The bug is found by running the iCR tool by [OpenRefactory,
> Inc.|https://openrefactory.com/] and then manually triaging the
> results.{color}
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
