Giters

find-sec-bugs / find-sec-bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

Home Page:https://find-sec-bugs.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ConstantPasswordDetector: StringIndexOutOfBoundsException: String index out of range: -3

nkavian opened this issue · comments

commented

Environment

Component Version
Maven 3.8.1
Java 1.8.0_241
SpotBugs 4.3.0
FindSecBugs 1.11.0

Problem

[INFO] Fork Value is true
     [java] The following errors occurred during analysis:
     [java]   Exception analyzing com.my.package.MyClass using detector com.h3xstream.findsecbugs.password.ConstantPasswordDetector
     [java]     java.lang.StringIndexOutOfBoundsException: String index out of range: -3
     [java]       At java.lang.String.substring(String.java:1931)
     [java]       At com.h3xstream.findsecbugs.password.ConstantPasswordDetector.isSuspiciousName(ConstantPasswordDetector.java:123)
     [java]       At com.h3xstream.findsecbugs.password.ConstantPasswordDetector.visitAfter(ConstantPasswordDetector.java:109)
     [java]       At edu.umd.cs.findbugs.visitclass.PreorderVisitor.visitJavaClass(PreorderVisitor.java:403)
     [java]       At org.apache.bcel.classfile.JavaClass.accept(JavaClass.java:213)
     [java]       At edu.umd.cs.findbugs.BytecodeScanningDetector.visitClassContext(BytecodeScanningDetector.java:38)
     [java]       At edu.umd.cs.findbugs.DetectorToDetector2Adapter.visitClass(DetectorToDetector2Adapter.java:76)
     [java]       At edu.umd.cs.findbugs.FindBugs2.lambda$analyzeApplication$1(FindBugs2.java:1108)
     [java]       At java.util.concurrent.FutureTask.run(FutureTask.java:266)
     [java]       At edu.umd.cs.findbugs.CurrentThreadExecutorService.execute(CurrentThreadExecutorService.java:86)
     [java]       At java.util.concurrent.AbstractExecutorService.invokeAll(AbstractExecutorService.java:238)
     [java]       At edu.umd.cs.findbugs.FindBugs2.analyzeApplication(FindBugs2.java:1118)
     [java]       At edu.umd.cs.findbugs.FindBugs2.execute(FindBugs2.java:309)
     [java]       At edu.umd.cs.findbugs.FindBugs.runMain(FindBugs.java:395)
     [java]       At edu.umd.cs.findbugs.FindBugs2.main(FindBugs2.java:1231)

Code

It's unknown which line in my unit test file is causing this in your detector. Looking at the detector at this line, the fullFieldName is shorter than the classNameLength, so the difference becomes a -3 length.

Here is the String implementation for substring, which triggers the 2nd exception, not the first:

    public String substring(int beginIndex) {
        if (beginIndex < 0) {
            throw new StringIndexOutOfBoundsException(beginIndex);
        }
        int subLen = value.length - beginIndex;
        if (subLen < 0) {
            throw new StringIndexOutOfBoundsException(subLen);
        }
        return (beginIndex == 0) ? this : new String(value, beginIndex, subLen);
    }
commented

@nkavian Can you provide a sample to reproduce the case or example where the classname is shorter than a full field name?

commented

I wanted to share sample code in my original post, but I couldn't narrow down what causes the issue in just this 1 file. The file has too many dependencies to be able to share anything meaningful, and it's not open sourced.

If you have a debug jar, I'd be happy to run it and capture the output.