You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In file GroovyFacet.java, there is a potential case of null pointer dereference. In method buildViewDispatchers() inside class GroovyFacet, there is a call to owner.webApp.getFacet(JellyFacet.class). Here webApp is an object of class WebApp.
Then scriptInvoker field is invoked on the supposedly returned type cast object. But getFacet() method of class WebApp can return null under a certain condition, when JellyFacet won't exist in facets.
public <T extends Facet> T getFacet(Class<T> type) {
for (Facet f : facets) {
if (type == f.getClass()) {
return type.cast(f);
}
}
return null;
}
If that happens, then invoking field scriptInvoker will cause a NullPointerException.
However, it is not immediately clear whether facets would always contain JellyFacet or not. If it is indeed the case, that JellyFacet will always exist in facets, then you may choose to ignore this issue.
Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
The text was updated successfully, but these errors were encountered:
What happened?
In file GroovyFacet.java, there is a potential case of null pointer dereference. In method
buildViewDispatchers()inside classGroovyFacet, there is a call toowner.webApp.getFacet(JellyFacet.class). HerewebAppis an object of classWebApp.Then
scriptInvokerfield is invoked on the supposedly returned type cast object. But getFacet() method of classWebAppcan return null under a certain condition, whenJellyFacetwon't exist in facets.If that happens, then invoking field
scriptInvokerwill cause a NullPointerException.However, it is not immediately clear whether facets would always contain
JellyFacetor not. If it is indeed the case, thatJellyFacetwill always exist infacets, then you may choose to ignore this issue.Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
The text was updated successfully, but these errors were encountered: