Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Null Protection on Log / Logger #6186

Closed
swathikumar4precisely opened this issue Apr 16, 2021 · 3 comments
Closed

Add Null Protection on Log / Logger #6186

swathikumar4precisely opened this issue Apr 16, 2021 · 3 comments

Comments

@swathikumar4precisely
Copy link

@swathikumar4precisely swathikumar4precisely commented Apr 16, 2021

Jetty version - 9.4.36 and above

Java version - 1.8

OS type/version - Linux/Windows

Description

Hi Team,

To address potential security issue, in our product we are trying to upgrade from v9.4.26 to v9.4.36.
When we replaced the jars and bounced our application, our application does come up fine - however, upon accessing the dashboard/home page of our application, we get NullPointerException. We also tested by upgrading to v9.4.39 and the same issue exists there as well.

Please note, we are not having this issue with the current jetty version we have in our product - v9.4.26.

Attaching the file with the full stack here.

We suspect it is a framework change in 9.4.36 and above - can you please review this stack and help us resolve this issue?

HTTP ERROR 500 java.lang.NullPointerException
URI:	/dashboard/
STATUS:	500
MESSAGE:	java.lang.NullPointerException
SERVLET:	default
CAUSED BY:	java.lang.NullPointerException
Caused by:
java.lang.NullPointerException
	at org.eclipse.jetty.http.HttpCookie.getSameSiteDefault(HttpCookie.java:477)
	at org.eclipse.jetty.server.Response.checkSameSite(Response.java:220)
	at org.eclipse.jetty.server.Response.addCookie(Response.java:201)
	at org.eclipse.jetty.server.Response.replaceCookie(Response.java:283)
	at org.eclipse.jetty.server.Request.getSession(Request.java:1634)
	at org.eclipse.jetty.server.Request.getSession(Request.java:1602)
	at com.sterlingcommerce.security.dv.web.SCUIWebValidationUtils.bypassRequestValidation(SCUIWebValidationUtils.java:281)
	at com.sterlingcommerce.security.dv.web.SCUISafeRequestFilter.doFilter(SCUISafeRequestFilter.java:41)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at com.sterlingcommerce.woodstock.ui.SecurityExtensionFilter.doFilter(SecurityExtensionFilter.java:238)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
	at org.eclipse.jetty.server.HttpChannel$$Lambda$93/00000000F0012540.dispatch(Unknown Source)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:135)
	at org.eclipse.jetty.io.ManagedSelector$$Lambda$84/00000000EC710D60.run(Unknown Source)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
	at java.lang.Thread.run(Thread.java:822)
@swathikumar4precisely
Copy link
Author

@swathikumar4precisely swathikumar4precisely commented Apr 16, 2021

Please do let me know if you need to review our product code.

Regards
Swathi BN

@joakime
Copy link
Member

@joakime joakime commented Apr 16, 2021

This is surprising, and would be happening to millions of jetty installations, as it's a highly used code path.

Line 477 in your stacktrace doesn't line up with anything that should ever be null.

https://github.com/eclipse/jetty.project/blob/jetty-9.4.36.v20210114/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java#L477

public static SameSite getSameSiteDefault(ServletContext context)
{
if (context == null)
return null;
Object o = context.getAttribute(SAME_SITE_DEFAULT_ATTRIBUTE);
if (o == null)
{
if (LOG.isDebugEnabled())
LOG.debug("No default value for SameSite");
return null;
}

Do you have some kind of custom logging going on in your environment?

Also note, that 9.4.40 was just released.
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.40.v20210413

joakime added a commit that referenced this issue Apr 16, 2021
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime joakime added this to To do in Jetty 9.4.41 Apr 16, 2021
joakime added a commit that referenced this issue Apr 21, 2021
Issue #6186 - Add null protection to Log/Logger API
@swathikumar4precisely
Copy link
Author

@swathikumar4precisely swathikumar4precisely commented May 4, 2021

Hi Joakime - apologies for not getting back to you on this one.
You were spot on in identifying the issue - yes , I had turned the jetty debug on through JDK parameters and upon reading your inputs, I removed the debug parameters and can no longer see the NPE.

Many thanks for your quick response in getting this issue resolved.

Regards
Swathi BN

Jetty 9.4.41 automation moved this from To do to Done May 4, 2021
@joakime joakime changed the title NullPointerException with jetty 9.4.36 and above Add Null Protection on Log / Logger May 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants