1077838 – (6.3.0) isSensitiveValue of class SensitiveVaultExpressionConstraint uses incorrect index in java.lang.String.substring method

Bug 1077838 - (6.3.0) isSensitiveValue of class SensitiveVaultExpressionConstraint uses incorrect index in java.lang.String.substring method

Summary: (6.3.0) isSensitiveValue of class SensitiveVaultExpressionConstraint uses inc...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management
Sub Component:
Version:	6.2.0
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	DR6
Target Release:	EAP 6.3.0
Assignee:	Jay SenSharma
QA Contact:	Petr Kremensky
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-18 16:42 UTC by Jay SenSharma
Modified:	2018-12-09 17:39 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	In previous releases of JBoss EAP 6, the `SensitiveVaultExpressionConstraint` class was using an incorrect string index when multiple {} occurred in the write attribute value. As a result, the use of the incorrect index was causing a `StringIndexOutOfBoundsException` to present. In this release the `isSensitiveValue` method of the `SensitiveVaultExpressionConstraint` class is fixed to use the correct index and the `StringIndexOutOfBoundsException` no longer prensents.
Clone Of:
Environment:
Last Closed:	2014-06-28 15:41:19 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	761613	None	None	None	Never
Red Hat One Jira Issue Tracker	WFLY-3131	Major	Resolved	isSensitiveValue of class SensitiveVaultExpressionConstraint uses incorrect index in java.lang.String.substring method	2015-12-31 04:04:06 UTC

Description Jay SenSharma 2014-03-18 16:42:44 UTC

Description of problem:
======================

The isSensitiveValue(ModelNode value) method of class "org.jboss.as.controller.access.constraint.SensitiveVaultExpressionConstraint" seems to be using the incorrect index in java.lang.String.substring method. Which is causing the following exceptions in the logs while executing the following kind of CLI command:

+++++++++++
[standalone@localhost:9999 /] /subsystem=logging/periodic-rotating-file-handler=FILE:write-attribute(name=formatter, value="%d{HH:mm:ss,SSS} %-5p [%c] (${jboss.node.name} %t) %s%E%n")
{
    "outcome" => "failed",
    "failure-description" => "JBAS014749: Operation handler failed: String index out of range: -15",
    "rolled-back" => true
}
+++++++++++


The Exception can be seen as following in the WildFly Logs:

+++++++++++
22:08:07,640 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) JBAS014612: Operation ("write-attribute") failed - address: ([
    ("subsystem" => "logging"),
    ("periodic-rotating-file-handler" => "FILE")
]): java.lang.StringIndexOutOfBoundsException: String index out of range: -15
	at java.lang.String.substring(String.java:1911) [rt.jar:1.7.0_51]
	at org.jboss.as.controller.access.constraint.SensitiveVaultExpressionConstraint$Factory.isSensitiveValue(SensitiveVaultExpressionConstraint.java:128) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.controller.access.constraint.SensitiveVaultExpressionConstraint$Factory.isSensitiveAction(SensitiveVaultExpressionConstraint.java:89) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.controller.access.constraint.SensitiveVaultExpressionConstraint$Factory.getRequiredConstraint(SensitiveVaultExpressionConstraint.java:81) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
	at org.jboss.as.controller.access.rbac.DefaultPermissionFactory.getRequiredPermissions(DefaultPermissionFactory.java:201) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
+++++++++++


Version-Release number of selected component (if applicable):


How reproducible:
==================
Steps to Reproduce:
1. Take a fresh EAP 6.2 installation.
2. Start the Standalone profile.
3. Now using the "jboss-cli.sh" script run the following command:

/subsystem=logging/periodic-rotating-file-handler=FILE:write-attribute(name=formatter, value="%d{HH:mm:ss,SSS} %-5p [%c] (${jboss.node.name} %t) %s%E%n")


Actual results:
================
JBoss EAP throwing the following Error:

java.lang.StringIndexOutOfBoundsException: String index out of range: -15
	at java.lang.String.substring(String.java:1911) [rt.jar:1.7.0_51]
	at org.jboss.as.controller.access.constraint.SensitiveVaultExpressionConstraint$Factory.isSensitiveValue(SensitiveVaultExpressionConstraint.java:128) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]



Expected results:
=================
 Should have updated the logging configuration without throwing the exception.


Additional info:

Comment 4 Kabir Khan 2014-03-21 10:11:10 UTC

Jay, MODIFIED is for me to set when merged. POST is the state for when a PR is opened

Comment 5 Ondrej Lukas 2014-03-28 13:31:12 UTC

Verified on EAP 6.3.0.DR6.

Comment 6 JBoss JIRA Server 2014-04-03 04:48:35 UTC

Jay Kumar SenSharma <jsenshar@redhat.com> updated the status of jira WFLY-3131 to Closed

Comment 7 JBoss JIRA Server 2014-06-01 02:28:15 UTC

Jason Greene <jason.greene@jboss.com> updated the status of jira WFLY-3131 to Reopened

Comment 8 JBoss JIRA Server 2014-06-01 02:30:52 UTC

Jason Greene <jason.greene@jboss.com> updated the status of jira WFLY-3131 to Resolved

Note You need to log in before you can comment on or make changes to this bug.