Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in WaitForAsyncUtils #281

Closed
Ortner opened this issue May 19, 2016 · 0 comments
Closed

Vulnerability in WaitForAsyncUtils #281

Ortner opened this issue May 19, 2016 · 0 comments

Comments

@Ortner
Copy link
Contributor

Ortner commented May 19, 2016
edited

Issue

There are several vulnerabilities in the WaitForAsyncUtils. Public methods require Exception handling, where it is not obvious.

The following code snippet serves as example:

try{
    Future<?> f=WaitForAsyncUtils.async(() -> {
        WaitForAsyncUtils.async(() -> {throw new SecurityException("Exception");});
    });
}catch(Exception e){e.printStackTrace();}

This code does not throw any exceptions.
If you do not call the get() method of the Future returned by async(), exceptions during execution will be masked in the callCallableAndSetFuture method. But when using the async() call I actually do not want to wait for the result.

I'm not completely done yet, as the Exception handling is not that easy to follow and different types of execution models with different kinds of exception handling are used (Runnables, callables with/without Executors...). But I think this is at least true for all the async..(...) methods. The waitForAsync...(...)Methods do check the exceptions later.

In my opinion this is dangerous, especially in the public API.

Current test case

The current test case is also invalid, the Exception is thrown by another method (see comment below).

@Test(timeout=1000)
    public void async_callable_with_exception() throws Exception {
        // given:
        Callable<Void> callable = () -> {
            throw new UnsupportedOperationException();
        };
        Future<Void> future = WaitForAsyncUtils.async(callable);

        // expect:
        thrown.expectCause(instanceOf(UnsupportedOperationException.class)); // <-- Validates after test
        WaitForAsyncUtils.waitFor(50, MILLISECONDS, future);  //<-- Exception is thrown here
    }

Possible relations

  • GlassRobot uses this methods quite frequently without checking the return value (move mouse, release mouse, key press...)
  • As exceptions may be masked, unpredicted behavior (e.g. concurrent modification exceptions may be masked), so this issue might be related to TestFX node lookup can cause javafx rendering issues #279

Proposal

I'm not completely done yet, but the simplest solution would be to remove the try catch block in callCallableAndSetFuture, if called from one of the async methods (extra method for async calls).
Ortner pushed a commit to Ortner/TestFX that referenced this issue May 21, 2016
281: Vulnerability in WaitForAsyncUtils
1728910 
Task-Url: http://github.com/TestFX/TestFX/issues/issue/281

Now original Exceptions will be thrown, if uncatched.
On the FXThread, exceptions will be thrown too.

fixes TestFX#281
@Ortner Ortner mentioned this issue May 21, 2016
Closed
brcolow pushed a commit to brcolow/TestFX that referenced this issue Jan 17, 2017
@brcolow
(refactor) Improve exception handling in WaitForAsyncUtils.
f1a3bf4 
Improve exception handling methods and allow the user to have more
control.

Fixed async_callable_with_exception to detect that no exception is
thrown.

Add testing for exceptions thrown on JavaFX application thread.

Closes TestFX#280
Closes TestFX#281
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ortner