Potential Null Dereference #233
Description
In file: Tracing.java, class Tracing there is a method startInboundSpan that therr is a potential null dereferece. The may throw an unexpected null pointer exception which, if unhandled, may crash the program. Our analysis tool, iCR detected the null pointer issue. A developer should introduce a null check or proper validation on returned value before chain method invocation on that value.
here, in method body,
builder
.asChildOf(parent)
.withTag(Tags.SPAN_KIND.getKey(), Tags.SPAN_KIND_SERVER)
.withTag("as", request.getArgScheme().name());here, getArgScheme() from Request.java
public ArgScheme getArgScheme() {
return ArgScheme.toScheme(transportHeaders.get(TransportHeaders.ARG_SCHEME_KEY));
}invokes toScheme() which can return null
public static @Nullable ArgScheme toScheme(@Nullable String argScheme) {
if (argScheme == null) {
return null;
}
switch (argScheme) {
case "raw":
return RAW;
case "json":
return JSON;
case "http":
return HTTP;
case "thrift":
return THRIFT;
case "sthrift":
return STREAMING_THRIFT;
default:
return null;
}
}Sponsorship and Support
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.
The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.