[jira] [Closed] (OFBIZ-9689) [FB] Package org.apache.ofbiz.base.crypto

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Closed] (OFBIZ-9689) [FB] Package org.apache.ofbiz.base.crypto

JIRA jira@apache.org

     [ https://issues.apache.org/jira/browse/OFBIZ-9689?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Brohl closed OFBIZ-9689.
--------------------------------
       Resolution: Implemented
    Fix Version/s: Upcoming Release

Thanks Julian,

your patch is in trunk r1812049.


> [FB] Package org.apache.ofbiz.base.crypto
> -----------------------------------------
>
>                 Key: OFBIZ-9689
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9689
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: base
>    Affects Versions: Trunk
>            Reporter: Julian Leichert
>            Assignee: Michael Brohl
>            Priority: Minor
>             Fix For: Upcoming Release
>
>         Attachments: OFBIZ-9689_org.apache.ofbiz.base.crypto_bugfixes.patch
>
>
> BlowFishCrypt.java:56, DE_MIGHT_IGNORE
> -DE: new org.apache.ofbiz.base.crypto.BlowFishCrypt(byte[]) might ignore java.lang.Exception
> This method might ignore an exception.  In general, exceptions should be handled or reported in some way, or they should be thrown out of the method.
> BlowFishCrypt.java:66, OS_OPEN_STREAM
> -OS: new org.apache.ofbiz.base.crypto.BlowFishCrypt(File) may fail to close stream
> The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method.  This may result in a file descriptor leak.  It is generally a good idea to use a finally block to ensure that streams are closed.
> BlowFishCrypt.java:71, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in new org.apache.ofbiz.base.crypto.BlowFishCrypt(File): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> BlowFishCrypt.java:74, DE_MIGHT_IGNORE
> -DE: new org.apache.ofbiz.base.crypto.BlowFishCrypt(File) might ignore java.lang.Exception
> This method might ignore an exception.  In general, exceptions should be handled or reported in some way, or they should be thrown out of the method.
> BlowFishCrypt.java:74, REC_CATCH_EXCEPTION
> -REC: Exception is caught when Exception is not thrown in new org.apache.ofbiz.base.crypto.BlowFishCrypt(File)
> This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs.
> A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:
>   try {
>     ...
>   } catch (RuntimeException e) {
>     throw e;
>   } catch (Exception e) {
>     ... deal with all non-runtime exceptions ...
>   }
> BlowFishCrypt.java:82, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.encrypt(String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> BlowFishCrypt.java:90, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.decrypt(String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> BlowFishCrypt.java:103, PZLA_PREFER_ZERO_LENGTH_ARRAYS
> -PZLA: Should org.apache.ofbiz.base.crypto.BlowFishCrypt.encrypt(byte[]) return a zero length array rather than null?
> It is often a better design to return a length zero array rather than a null reference to indicate that there are no results (i.e., an empty list of results). This way, no explicit check for null is needed by clients of the method.
> On the other hand, using null to indicate "there is no answer to this question" is probably appropriate. For example, File.listFiles() returns an empty list if given a directory containing no files, and returns null if the file is not a directory.
> BlowFishCrypt.java:118, PZLA_PREFER_ZERO_LENGTH_ARRAYS
> -PZLA: Should org.apache.ofbiz.base.crypto.BlowFishCrypt.decrypt(byte[]) return a zero length array rather than null?
> It is often a better design to return a length zero array rather than a null reference to indicate that there are no results (i.e., an empty list of results). This way, no explicit check for null is needed by clients of the method.
> On the other hand, using null to indicate "there is no answer to this question" is probably appropriate. For example, File.listFiles() returns an empty list if given a directory containing no files, and returns null if the file is not a directory.
> BlowFishCrypt.java:146, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.testKey(byte[]): new String(byte[])
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> BlowFishCrypt.java:166, OS_OPEN_STREAM
> -OS: org.apache.ofbiz.base.crypto.BlowFishCrypt.main(String[]) may fail to close stream
> The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method.  This may result in a file descriptor leak.  It is generally a good idea to use a finally block to ensure that streams are closed.
> BlowFishCrypt.java:167, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.BlowFishCrypt.main(String[]): new String(byte[])
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> HashCrypt.java:68, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.comparePassword(String, String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> HashCrypt.java:126, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.cryptPassword(String, String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> HashCrypt.java:140, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.cryptValue(String, String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> HashCrypt.java:197, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.pbkdf2HashCrypt(String, String, String): new String(byte[])
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> HashCrypt.java:197, RV_RETURN_VALUE_IGNORED
> -RV: Return value of StringBuilder.toString() ignored in org.apache.ofbiz.base.crypto.HashCrypt.pbkdf2HashCrypt(String, String, String)
> The return value of this method should be checked. One common cause of this warning is to invoke a method on an immutable object, thinking that it updates the object. For example, in the following code fragment,
> String dateString = getHeaderField(name);
> dateString.trim();
> the programmer seems to be thinking that the trim() method will update the String referenced by dateString. But since Strings are immutable, the trim() function returns a new String value, which is being ignored here. The code should be corrected to:
> String dateString = getHeaderField(name);
> dateString = dateString.trim();
> HashCrypt.java:212, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.doComparePbkdf2(String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> HashCrypt.java:250, DMI_INVOKING_TOSTRING_ON_ARRAY
> -USELESS_STRING: Invocation of toString on salt in org.apache.ofbiz.base.crypto.HashCrypt.getSalt()
> The code invokes toString on an array, which will generate a fairly useless result such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12.
> HashCrypt.java:284, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.digestHash(String, String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.
> HashCrypt.java:363, DM_DEFAULT_ENCODING
> -Dm: Found reliance on default encoding in org.apache.ofbiz.base.crypto.HashCrypt.digestHashOldFunnyHex(String, String): String.getBytes()
> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behaviour to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)