Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(bazel): avoid potential null dereference #188

Merged
merged 1 commit into from
Oct 18, 2023
Merged

fix(bazel): avoid potential null dereference #188

merged 1 commit into from
Oct 18, 2023

Conversation

rng70-or
Copy link
Contributor

Motivation:

In file: BazelBuildFileTemplate.java, class: BazelBuildFileTemplate, there is a method expand that, there is a potential Null pointer dereference while calling the equals method. Which can raise a NullPointerException..

Potential Null Dereference Path:

In method String expand(BazelBuildFileView bpv)

String newName = entry.getValue();
String currentName = buildozer.getAttribute(buildBazelPath, "%" + kind, "name");

The variable currentName can be null as the implementation getAttribute()

}

  // Get the value of the given attribute of the given target
  public String getAttribute(Path bazelBuildFile, String target, String attribute)
      throws IOException {
    List<String> executeResult;
    try {
      executeResult = execute(bazelBuildFile, String.format("print %s", attribute), target);
      String value = executeResult.get(0);
      if (value.equals("(missing)")) {
        return null;
      }
      // if value has spaces, `buildozer print` will return it in quotes. Remove the quotes
      if (value.charAt(0) == '"' && value.charAt(value.length() - 1) == '"') {
        value = value.substring(1, value.length() - 1);
      }
      return value;
    } catch (IndexOutOfBoundsException ignored) {
      return null;
    }
  }

Now, if this variable is null then

if (!currentName.equals(newName)) {
    buildozer.batchSetStringAttribute(buildBazelPath, currentName, "name", newName);
}

The argument passed to the equals method is not null which triggers a NullPointerException.

Fix:

Instead, pass the possible null value to the method argument

if (!newName.equals(currentName)) {
    buildozer.batchSetStringAttribute(buildBazelPath, currentName, "name", newName);
}
Sponsorship and Support:

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

@rng70-or rng70-or requested review from a team as code owners October 18, 2023 03:09
noahdietz
noahdietz approved these changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@noahdietz noahdietz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, thank you.

@noahdietz noahdietz changed the title fix: potential null dereference fix(bazel): avoid potential null dereference Oct 18, 2023
@noahdietz noahdietz added the automerge Merge the pull request once unit tests and other checks pass. label Oct 18, 2023
@gcf-merge-on-green gcf-merge-on-green bot merged commit f47dd96 into googleapis:main Oct 18, 2023
4 checks passed
@gcf-merge-on-green gcf-merge-on-green bot removed the automerge Merge the pull request once unit tests and other checks pass. label Oct 18, 2023
@release-please release-please bot mentioned this pull request Oct 18, 2023
Merged
gcf-merge-on-green bot pushed a commit that referenced this pull request Nov 7, 2023
@release-please
chore(main): release 0.29.3 (#189)
f3172d8 
🤖 I have created a release *beep* *boop*
---


## [0.29.3](https://togithub.com/googleapis/rules_gapic/compare/v0.29.2...v0.29.3) (2023-11-07)


### Bug Fixes

* **bazel:** Avoid potential null dereference ([#188](https://togithub.com/googleapis/rules_gapic/issues/188)) ([f47dd96](https://togithub.com/googleapis/rules_gapic/commit/f47dd963dec8e72684555f8e9b44c57a77b8b1d0))
* **bazel:** Include transport flag in csharp template ([#191](https://togithub.com/googleapis/rules_gapic/issues/191)) ([18ee180](https://togithub.com/googleapis/rules_gapic/commit/18ee180b436210edfb318ab9422869df46e115ca))

---
This PR was generated with [Release Please](https://togithub.com/googleapis/release-please). See [documentation](https://togithub.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@noahdietz noahdietz noahdietz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rng70-or @noahdietz