Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fix] Prevent null from flagging as authentication information in PreventTokenLogging check #674

Merged
merged 3 commits into from
Jul 2, 2019
Merged

[fix] Prevent null from flagging as authentication information in PreventTokenLogging check #674

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3f14f21
Prevent uses of null as flagging as authentication information in Pre…
Jul 1, 2019
464ddbe
Manually add changelog file.
Jul 1, 2019
2d82735
Add null check into AUTH_MATCHER
Jul 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions baseline-error-prone/src/main/java/com/palantir/baseline/errorprone/PreventTokenLogging.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,16 +46,19 @@ public final class PreventTokenLogging extends BugChecker implements BugChecker.
.onClassAny("com.palantir.logsafe.SafeArg", "com.palantir.logsafe.UnsafeArg")
.named("of"));

private static final Matcher<Tree> AUTH_MATCHER =
Matchers.anyOf(
Matchers.isSubtypeOf("com.palantir.tokens.auth.AuthHeader"),
Matchers.isSubtypeOf("com.palantir.tokens.auth.BearerToken"));
private static final Matcher<ExpressionTree> AUTH_MATCHER =
Matchers.allOf(
Matchers.anyOf(
Matchers.isSubtypeOf("com.palantir.tokens.auth.AuthHeader"),
Matchers.isSubtypeOf("com.palantir.tokens.auth.BearerToken")),
Matchers.not(
Matchers.kindIs(Tree.Kind.NULL_LITERAL)));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's also a Matchers.isNonNull()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I remember about Matchers.isNonNull(), is that it only returns true when the expression is provably non-null via a null analysis to make its determination and could sometimes return false when we need true since I believe we are only concerned with the use of literal null.


@Override
public Description matchMethodInvocation(MethodInvocationTree tree, VisitorState state) {
if (METHOD_MATCHER.matches(tree, state)) {
for (Tree arg : tree.getArguments()) {
if (AUTH_MATCHER.matches(arg, state) && arg.getKind() != Tree.Kind.NULL_LITERAL) {
for (ExpressionTree arg : tree.getArguments()) {
if (AUTH_MATCHER.matches(arg, state)) {
return buildDescription(arg)
.setMessage("Authentication information is not allowed to be logged.")
.build();
Expand Down
6 changes: 6 additions & 0 deletions changelog/@unreleased/pr-674.v2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
type: fix
fix:
description: The PreventTokenLogging error-prone check will now correctly handle
null use in SLF4J and Safe/Unsafe Arg functions.
links:
- https://github.com/palantir/gradle-baseline/pull/674