Uploaded image for project: 'Nutch'
  1. Nutch
  2. NUTCH-2786

TrustManager methods do not have certificate validation logic

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.16
    • Fix Version/s: 1.19
    • Component/s: plugin, protocol
    • Labels:
      None

      Description

      • Vulnerability Description: In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates.
      • Reason it’s vulnerable: It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded true. Certificate validation is expected to be handled by these methods. Doing nothing means no verification.
      • Suggested Fix: Adding necessary certificate verification logic in the overridden methods. This is an example code showing a format that can be used and modified appropriately to implement the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .
      • Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -
      1. Liked it and will make the suggested changes
      2. Liked it but happy with the existing version
      3. Didn’t find the suggestion helpful

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mahir.kabir Md Mahir Asef Kabir

              Dates

              • Created:
                Updated:

                Issue deployment