Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-9450 Fixing defects reported by code analysis tools
  3. OFBIZ-9823

[FB] Package org.apache.ofbiz.marketing.tracking

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Implemented
    • Affects Version/s: Trunk
    • Fix Version/s: 17.12.01
    • Component/s: marketing
    • Labels:
      None

      Description

      — TrackingCodeEvents.java:261, RpC_REPEATED_CONDITIONAL_TEST
      RpC: Repeated conditional test in org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, HttpServletRequest, HttpServletResponse, String)

      The code contains a conditional test is performed twice, one right after the other (e.g., x == 0 || x == 0). Perhaps the second occurrence is intended to be something else (e.g., x == 0 || y == 0).

      — TrackingCodeEvents.java:261, RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE
      RCN: Redundant nullcheck of visitorSiteId, which is known to be non-null in org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, HttpServletRequest, HttpServletResponse, String)

      This method contains a redundant check of a known non-null value against the constant null.

      — TrackingCodeEvents.java:263, HRS_REQUEST_PARAMETER_TO_COOKIE
      HRS: HTTP cookie formed from untrusted input in org.apache.ofbiz.marketing.tracking.TrackingCodeEvents.processTrackingCode(GenericValue, HttpServletRequest, HttpServletResponse, String)

      This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.

      FindBugs looks only for the most blatant, obvious cases of HTTP response splitting. If FindBugs found any, you almost certainly have more vulnerabilities that FindBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool.

        Attachments

          Activity

            People

            • Assignee:
              mbrohl Michael Brohl
              Reporter:
              Dennis Balkir Dennis Balkir
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: