Issue #12577 - Fixing NPE from HttpURI.getDecodedPath() if path doesn't exist #12580

joakime · 2024-11-26T15:01:37Z

Fixed in URIUtil.decodePath(String) where the input is null.

Signed-off-by: Lachlan Roberts <[email protected]>

Signed-off-by: Simone Bordet <[email protected]>

Signed-off-by: Lachlan Roberts <[email protected]>

* fix proxy url in web.xml * Issue #12184 Change urls https://eclipse.dev to https://jetty.org Fix #12187 Signed-off-by: Olivier Lamy <[email protected]> --------- Signed-off-by: Olivier Lamy <[email protected]>

Signed-off-by: Lachlan Roberts <[email protected]>

…websocketMethodHolder

Signed-off-by: Lachlan Roberts <[email protected]>

…SignInWithEthereum

… into jetty-12.1.x

Signed-off-by: Lachlan Roberts <[email protected]>

…SignInWithEthereum

Signed-off-by: Lachlan Roberts <[email protected]>

…to upgrade() Signed-off-by: Lachlan Roberts <[email protected]>

Signed-off-by: Simone Bordet <[email protected]>

…0.x. Signed-off-by: Simone Bordet <[email protected]>

Removed deprecated methods from EndPoint. Signed-off-by: Simone Bordet <[email protected]>

The previous semantic of `onCompleteFailure` has been renamed to `onFailure(Throwable)`, which is called immediately (but serialized) on either an abort or a failure. A new `onCompleteFailure(Throwable)` method has been added that is called only after a `failed(throwable)` or a `abort(Throwable)` followed by `succeeded()` or `failed(Throwable)`` No usage has yet been made of the new `onCompleteFailure`, but the ICB implementation has been completely replaced by the one developed in #11876 Signed-off-by: Simone Bordet <[email protected]> Signed-off-by: Ludovic Orban <[email protected]> Co-authored-by: Simone Bordet <[email protected]> Co-authored-by: Ludovic Orban <[email protected]>

Issue #6328 - avoid binding WebSocket MethodHandles

Issue #11560 - Implement EIP-4361 Sign-In With Ethereum

Signed-off-by: Lachlan Roberts <[email protected]>

Signed-off-by: Simone Bordet <[email protected]>

* Reworking jetty-compression for JPMS * Moving (include/exclude) verb to before noun * Renaming jetty-compression-api to jetty-compression-common * Renaming module compression-api to compression-common

Signed-off-by: Simone Bordet <[email protected]>

Improved messages used on more modules

Fix #9206 The HttpGenerator persistence was not correctly maintained over intermediate responses. Deprecate tester in EE11 --------- Signed-off-by: Olivier Lamy <[email protected]> Co-authored-by: Olivier Lamy <[email protected]>

…ams (#12534)

Signed-off-by: Simone Bordet <[email protected]>

This is the work for the server-side only, the client side will be done in another pull request. Previously, `AbstractConnection.getInvocationType()` was called by `AbstractConnection.ReadCallback`, but it was deprecated and is now removed, along with all its overrides. This mechanism is now replaced by using a specific Callback implementation for each `AbstractConnection` subclass. For example, `HttpConnection` uses `HttpConnection.FillableCallback` that in turn asks the `InvocationType` to the Server, and therefore the `Handler` tree. Introduced `AbstractConnection.NonBlocking` for the cases where `onFillable()` is non-blocking. Restored synchronous code for `ServerFCGIConnection.close()`, ensuring `super.close()` is always called. Ensuring that in `HttpConnection.close()` `super.close()` is always called. Fixed promise notification to avoid race between the task (writing an error response) and the promise (resetting the stream) in HTTP/2 and HTTP/3. Signed-off-by: Simone Bordet <[email protected]> Co-authored-by: Greg Wilkins <[email protected]>

Signed-off-by: Simone Bordet <[email protected]>

…'t exist

Signed-off-by: Simone Bordet <[email protected]>

…e-httpuri-decodedpath

...tty-ee11-osgi-boot/src/main/java/org/eclipse/jetty/ee11/osgi/boot/OSGiWebappClassLoader.java

+        if (osgiUrls != null && osgiUrls.hasMoreElements())
+            return osgiUrls;
+
+        Enumeration<URL> urls = super.getResources(name);


...tty-ee11-osgi-boot/src/main/java/org/eclipse/jetty/ee11/osgi/boot/OSGiWebappClassLoader.java

+    @Override
+    public URL getResource(String name)
+    {
+        URL url = _osgiBundleClassLoader.getResource(name);


...tty-ee11-osgi-boot/src/main/java/org/eclipse/jetty/ee11/osgi/boot/OSGiWebappClassLoader.java

+    public URL getResource(String name)
+    {
+        URL url = _osgiBundleClassLoader.getResource(name);
+        return url != null ? url : super.getResource(name);


...tty-ee11-osgi-boot/src/main/java/org/eclipse/jetty/ee11/osgi/boot/OSGiWebappClassLoader.java

+    @Override
+    public URL findResource(String name)
+    {
+        URL url = _osgiBundleClassLoader.getResource(name);


jetty-ee11/jetty-ee11-webapp/src/main/java/org/eclipse/jetty/ee11/webapp/WebAppClassLoader.java

+            {
+
+                // Couldn't find or see a webapp resource, so try a parent
+                URL parentUrl = _parent.getResource(name);


jetty-ee11/jetty-ee11-webapp/src/main/java/org/eclipse/jetty/ee11/webapp/WebAppClassLoader.java

+
+        // Perhaps this failed due to leading /
+        if (resource == null && name.startsWith("/"))
+            resource = getResource(name.substring(1));


...cket-jakarta-tests/src/main/java/org/eclipse/jetty/ee11/websocket/jakarta/tests/Sha1Sum.java

+
+    public static String calculate(Path path) throws NoSuchAlgorithmException, IOException
+    {
+        MessageDigest digest = MessageDigest.getInstance("SHA1");


To fix the problem, we need to replace the use of the SHA-1 algorithm with a stronger algorithm, such as SHA-256. This involves changing the instances where MessageDigest.getInstance("SHA1") is called to use SHA-256 instead. This change will ensure that the cryptographic operations are performed using a more secure and modern algorithm.

...cket-jakarta-tests/src/main/java/org/eclipse/jetty/ee11/websocket/jakarta/tests/Sha1Sum.java

+
+    public static String calculate(byte[] buf) throws NoSuchAlgorithmException
+    {
+        MessageDigest digest = MessageDigest.getInstance("SHA1");


To fix the problem, we should replace the use of the SHA-1 algorithm with a stronger algorithm, such as SHA-256. This involves updating the MessageDigest.getInstance("SHA1") calls to MessageDigest.getInstance("SHA-256"). This change will ensure that the code uses a modern, secure cryptographic hash function without altering the existing functionality.

...cket-jakarta-tests/src/main/java/org/eclipse/jetty/ee11/websocket/jakarta/tests/Sha1Sum.java

+
+    public static String calculate(byte[] buf, int offset, int len) throws NoSuchAlgorithmException
+    {
+        MessageDigest digest = MessageDigest.getInstance("SHA1");


To fix the problem, we should replace the use of the SHA-1 algorithm with a stronger algorithm like SHA-256. This involves updating the MessageDigest.getInstance("SHA1") calls to MessageDigest.getInstance("SHA-256"). This change will ensure that the hashing is done using a more secure algorithm without altering the existing functionality of the code.

joakime · 2024-11-27T14:57:14Z

This Branch/PR is just very messed up ATM.
Going to rebuild.

joakime · 2024-11-27T15:01:06Z

Replacement PR #12591

lachlan-roberts and others added 30 commits August 21, 2024 14:25

PR #11883 - fix build issue with poms

063e3fc

Signed-off-by: Lachlan Roberts <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

8e6ad22

Signed-off-by: Simone Bordet <[email protected]>

implement servlet upgrade for ee10 and ee11

a9d3910

Signed-off-by: Lachlan Roberts <[email protected]>

PR #11883 - remove experimental warning and fix to documentation

37aed0e

Signed-off-by: Lachlan Roberts <[email protected]>

jetty 12.1.x 12184 urls fixes (#12187)

2ef6a34

* fix proxy url in web.xml * Issue #12184 Change urls https://eclipse.dev to https://jetty.org Fix #12187 Signed-off-by: Olivier Lamy <[email protected]> --------- Signed-off-by: Olivier Lamy <[email protected]>

changes from review

3d28e16

Signed-off-by: Lachlan Roberts <[email protected]>

Merge remote-tracking branch 'origin/jetty-12.1.x' into jetty-12.1.x-…

e923380

…websocketMethodHolder

add missing licence header

0e73c56

Signed-off-by: Lachlan Roberts <[email protected]>

Merge remote-tracking branch 'origin/jetty-12.0.x' into jetty-12.0.x-…

b07a8c0

…SignInWithEthereum

Merge remote-tracking branch 'origin/jetty-12.0.x-SignInWithEthereum'…

25cf822

… into jetty-12.1.x

update supported versions in documentation to 12.1+

8b21725

Signed-off-by: Lachlan Roberts <[email protected]>

update poms to 12.1.0-SNAPSHOT versions

11509c2

Signed-off-by: Lachlan Roberts <[email protected]>

Merge remote-tracking branch 'origin/jetty-12.0.x' into jetty-12.1.x

2a90cab

PR #12188 - move code to jetty-integrations/jetty-ethereum

b40a942

Signed-off-by: Lachlan Roberts <[email protected]>

PR #12188 - rename siwe.mod to ethereum.mod

28ae673

Signed-off-by: Lachlan Roberts <[email protected]>

Merge remote-tracking branch 'origin/jetty-12.1.x' into jetty-12.1.x-…

d56c962

…SignInWithEthereum

PR #12188 - fix parent of jetty-etherem pom.xml

1b13c58

Signed-off-by: Lachlan Roberts <[email protected]>

PR #12186 - deprecate servletUpgrade method on HttpParser and rename …

cb691cd

…to upgrade() Signed-off-by: Lachlan Roberts <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

dfe1e6b

Signed-off-by: Simone Bordet <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

3170946

Signed-off-by: Simone Bordet <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

95665b7

Signed-off-by: Simone Bordet <[email protected]>

Fixed parent version in newly introduced Maven module merged from 12.…

1af9980

…0.x. Signed-off-by: Simone Bordet <[email protected]>

Issue #12023 - Remove deprecated classes/methods.

b9bcb58

Removed deprecated methods from EndPoint. Signed-off-by: Simone Bordet <[email protected]>

disable broken tests to be fixed in #12171

5bbae27

Merge pull request #12181 from jetty/jetty-12.1.x-websocketMethodHolder

c0d5adf

Issue #6328 - avoid binding WebSocket MethodHandles

Merge pull request #12188 from jetty/jetty-12.1.x-SignInWithEthereum

d8fad1f

Issue #11560 - Implement EIP-4361 Sign-In With Ethereum

move jetty-openid from jetty-core to jetty-integrations

9756387

Signed-off-by: Lachlan Roberts <[email protected]>

reduce duplication for OpenIdProvider testing class

063e839

Signed-off-by: Lachlan Roberts <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

7aaca7d

Signed-off-by: Simone Bordet <[email protected]>

sbordet and others added 15 commits November 18, 2024 17:13

Fixed eager-content.mod and jetty-eager-content.xml.

81adea8

Signed-off-by: Simone Bordet <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

2452c11

Signed-off-by: Simone Bordet <[email protected]>

Reworking jetty-compression for JPMS (#12531)

f480f46

* Reworking jetty-compression for JPMS * Moving (include/exclude) verb to before noun * Renaming jetty-compression-api to jetty-compression-common * Renaming module compression-api to compression-common

Fixing pom

019557d

Added documentation for DoSHandler. (#12546)

b115f12

Signed-off-by: Simone Bordet <[email protected]>

Improve module deprecation (#12547)

3443cb4

Improved messages used on more modules

Fix 100 continues persistence (#12548)

1eaceae

Fix #9206 The HttpGenerator persistence was not correctly maintained over intermediate responses. Deprecate tester in EE11 --------- Signed-off-by: Olivier Lamy <[email protected]> Co-authored-by: Olivier Lamy <[email protected]>

Remove inapplicable test cases; removed unused DefaultServlet initpar…

1c1dfc9

…ams (#12534)

Undisable ee10, ee11 TestJettyJspServlet (#12533)

6b85dab

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

c56a24f

Signed-off-by: Simone Bordet <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

be14c30

Signed-off-by: Simone Bordet <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

bdbbd3f

Signed-off-by: Simone Bordet <[email protected]>

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

2f21cd4

Signed-off-by: Simone Bordet <[email protected]>

Issue #12577 - Fixing NPE from HttpURI.getDecodedPath() if path doesn…

19aec3a

…'t exist

joakime added the Bug For general bugs on Jetty side label Nov 26, 2024

joakime requested a review from gregw November 26, 2024 15:01

joakime self-assigned this Nov 26, 2024

joakime linked an issue Nov 26, 2024 that may be closed by this pull request

org.eclipse.jetty.http.HttpURI.getDecodedPath() throws an NPE when there is no path #12577

Closed

joakime mentioned this pull request Nov 26, 2024

org.eclipse.jetty.http.HttpURI.getDecodedPath() throws an NPE when there is no path #12577

Closed

Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

cb5a6c6

Signed-off-by: Simone Bordet <[email protected]>

gregw previously approved these changes Nov 26, 2024

View reviewed changes

olamy and others added 2 commits November 27, 2024 10:35

Merge branch 'jetty-12.0.x' into jetty-12.1.x

4050f02

Merge remote-tracking branch 'origin/jetty-12.1.x' into fix/12.0.x/np…

935d6c7

…e-httpuri-decodedpath

joakime dismissed gregw’s stale review via 935d6c7 November 27, 2024 13:57

github-advanced-security bot found potential problems Nov 27, 2024

View reviewed changes

joakime closed this Nov 27, 2024

joakime mentioned this pull request Nov 27, 2024

Issue #12577 - Fixing NPE from HttpURI.getDecodedPath() if path doesn't exist #12591

Merged

@@ -73,3 +73,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     try (InputStream in = Files.newInputStream(path, StandardOpenOption.READ);
@@ -85,3 +85,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     digest.update(buf);
@@ -92,3 +92,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     digest.update(buf, offset, len);

@@ -73,3 +73,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     try (InputStream in = Files.newInputStream(path, StandardOpenOption.READ);
@@ -85,3 +85,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     digest.update(buf);
@@ -92,3 +92,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     digest.update(buf, offset, len);

@@ -73,3 +73,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     try (InputStream in = Files.newInputStream(path, StandardOpenOption.READ);
@@ -85,3 +85,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     digest.update(buf);
@@ -92,3 +92,3 @@
                 {
-                    MessageDigest digest = MessageDigest.getInstance("SHA1");
+                    MessageDigest digest = MessageDigest.getInstance("SHA-256");
                     digest.update(buf, offset, len);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Issue #12577 - Fixing NPE from HttpURI.getDecodedPath() if path doesn't exist #12580

Issue #12577 - Fixing NPE from HttpURI.getDecodedPath() if path doesn't exist #12580

Uh oh!

joakime commented Nov 26, 2024

Uh oh!

Uh oh!

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Check failure

Copilot Autofix

joakime commented Nov 27, 2024

Uh oh!

joakime commented Nov 27, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

11 participants

Issue #12577 - Fixing NPE from HttpURI.getDecodedPath() if path doesn't exist #12580

Issue #12577 - Fixing NPE from HttpURI.getDecodedPath() if path doesn't exist #12580

Uh oh!

Conversation

joakime commented Nov 26, 2024

Uh oh!

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

joakime commented Nov 27, 2024

Uh oh!

joakime commented Nov 27, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

11 participants