Skip to content

Java: Remove some JNDI Injection sinks #7702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aschackmull merged 2 commits into from
Jan 24, 2022
Merged

Java: Remove some JNDI Injection sinks #7702

aschackmull merged 2 commits into from
Jan 24, 2022

Conversation

@atorralba
Copy link
Contributor

@atorralba atorralba commented Jan 21, 2022

Removes JNDI Injection sinks that were causing false positives: LdapOperations.lookup methods receiving an AttributesMapper parameter don't actually call DirContext.lookup, but only DirContext.getAttributes. Also, adds tests and stubs for these cases.

Fixes #7699.

@atorralba atorralba requested a review from a team as a code owner January 21, 2022 16:42
@github-actions github-actions bot added the Java label Jan 21, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Jan 21, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Spring <https://spring.io/>`_,``org.springframework.*``,29,472,91,,,,19,14,,29
+    `Spring <https://spring.io/>`_,``org.springframework.*``,29,472,96,,,,19,14,,29
-    Totals,,182,6212,1419,106,6,10,107,33,1,81
+    Totals,,182,6212,1424,106,6,10,107,33,1,81
  • Changes to framework-coverage-java.csv:
- org.springframework.ldap,42,,,,,,,,,,28,14,,,,,,,,,,,,,,,,,
+ org.springframework.ldap,47,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,

@atorralba atorralba force-pushed the atorralba/fix-jndi-injection-sinks branch from c1dfba4 to 78d7e53 Compare January 21, 2022 16:49
@github-actions
Copy link
Contributor

github-actions bot commented Jan 21, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Spring <https://spring.io/>`_,``org.springframework.*``,29,472,91,,,,19,14,,29
+    `Spring <https://spring.io/>`_,``org.springframework.*``,29,472,96,,,,19,14,,29
-    Totals,,182,6212,1419,106,6,10,107,33,1,81
+    Totals,,182,6212,1424,106,6,10,107,33,1,81
  • Changes to framework-coverage-java.csv:
- org.springframework.ldap,42,,,,,,,,,,28,14,,,,,,,,,,,,,,,,,
+ org.springframework.ldap,47,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,

aschackmull
aschackmull reviewed Jan 24, 2022
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM at a glance, but the test fails.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 24, 2022

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Spring <https://spring.io/>`_,``org.springframework.*``,29,472,91,,,,19,14,,29
+    `Spring <https://spring.io/>`_,``org.springframework.*``,29,472,96,,,,19,14,,29
-    Totals,,182,6212,1419,106,6,10,107,33,1,81
+    Totals,,182,6212,1424,106,6,10,107,33,1,81
  • Changes to framework-coverage-java.csv:
- org.springframework.ldap,42,,,,,,,,,,28,14,,,,,,,,,,,,,,,,,
+ org.springframework.ldap,47,,,,,,,,,,33,14,,,,,,,,,,,,,,,,,

@atorralba
Copy link
Contributor Author

atorralba commented Jan 24, 2022

@aschackmull stubs needed fixing. All checks are now green.

@aschackmull aschackmull merged commit 7af6dc7 into github:main Jan 24, 2022
@atorralba atorralba deleted the atorralba/fix-jndi-injection-sinks branch January 24, 2022 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aschackmull aschackmull aschackmull approved these changes

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

JNDI Injection - false positive

2 participants

@atorralba @aschackmull