opendev/gerrit
Code Issues Proposed changes

GerritPublicKeyChecker: Fix possible null dereference

Browse Source 
PGPPublicKey#getSignaturesForID(String) may return null if the user ID
is not present in the key. This shouldn't happen since we're iterating
over present IDs, but it's easy enough to detect and use the empty
iterator instead.

Coverity-CID: 107364
Change-Id: Ic321ea77650bbe2f1698d2a576a44b6e72bc9299
This commit is contained in:
Dave Borowitz 2015-09-03 10:33:42 -04:00
parent 3b2aa8aace
commit 948089a15c
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
gerrit-gpg/src/main/java/com/google/gerrit/gpg/GerritPublicKeyChecker.java
View File

@ -17,6 +17,7 @@ package com.google.gerrit.gpg;
import static com.google.gerrit.gpg.PublicKeyStore.keyIdToString;
import static com.google.gerrit.reviewdb.client.AccountExternalId.SCHEME_GPGKEY;
import com.google.common.base.MoreObjects;
import com.google.common.collect.FluentIterable;
import com.google.common.collect.Ordering;
import com.google.gerrit.common.PageLinks;
@ -35,6 +36,7 @@ import org.eclipse.jgit.transport.PushCertificateIdent;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
@ -78,8 +80,7 @@ public class GerritPublicKeyChecker extends PublicKeyChecker {
while (userIds.hasNext()) {
String userId = userIds.next();
if (isAllowed(userId, allowedUserIds)) {
@SuppressWarnings("unchecked")
Iterator<PGPSignature> sigs = key.getSignaturesForID(userId);
Iterator<PGPSignature> sigs = getSignaturesForId(key, userId);
while (sigs.hasNext()) {
if (isValidCertification(key, sigs.next(), userId)) {
return;
@ -96,6 +97,14 @@ public class GerritPublicKeyChecker extends PublicKeyChecker {
}
}
@SuppressWarnings("unchecked")
private Iterator<PGPSignature> getSignaturesForId(PGPPublicKey key,
String userId) {
return MoreObjects.firstNonNull(
key.getSignaturesForID(userId),
Collections.emptyIterator());
}
private Set<String> getAllowedUserIds() {
IdentifiedUser user = userProvider.get();
Set<String> result = new HashSet<>();