Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8286676

InetAddress::getByName() missing checks on array

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: P4
    • Resolution: Unresolved
    • Affects Version/s: 18
    • Fix Version/s: tbd
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic

      Description

      InetAddress::getByName is a known exported API to perform name address lookups. It will return the first address that was resolved. Internally, it calls InetAddress.getAllByName() then grabs the first element of the array that is returned. This array is provided by JDK-owned infrastructure, and as such, very little validation needs to be performed. With JEP 418, which allows for third-party SPIs, the returned data might no longer be as trusted as it was previously if using a weakly implemented third-party resolver. Where there is some glue code around getAllByName() to try and prevent this, it might make sense for getByName() to perform some checking itself.
      Recommendations
      Check that getAllByName() does not return NULL and that the array contains at least one element.

      public static InetAddress getByName(String host) throws UnknownHostException {
      return InetAddress.getAllByName(host)[0]; // <-- should check that getAllByName() doesn't return NULL and that the array contains at least 1 element.
      }

        Attachments

          Activity

            People

            Assignee:
            aefimov Aleksej Efimov
            Reporter:
            mbenfadhel Mariem Ben Fadhel
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: