|
Behnam Hatami opened 10 years ago
|
|
Behnam, thank you for submitting this ticket, our code analysis and suggestions. I really appreciate it and I am impressed with your deep diving into our implementation details. Therefore, I hope you will not feel offended if I reject your suggestions this time. The current code works exactly as expected. This is intentional design and behavior. Please note the class name: **NonAuthUserRepositoryImpl. This NonAuth should be a hint. This class allows certain part of the code to access some, selected user's data, even if the context of the code execution is not authenticated to any user. This creates a set of very specific requirements, one of them not to allow any unintentional information leak. If the code thrown exception and application code returned an error, then this would be a way to a malicious user to get some information from our server. For example, it would allow the user to probe user's account names, what accounts exist and what account does not exist on our server. We do not want to allow for that. |
|
|
Hi Artur, Thanks for your response. I undrestand your security conserns, but this method won't be used directly by a user, it will be used by a plugin for example, and handling this exception, is their duty. returning a correct response from your function is another thing. I think because of your method signiture (throws UserNotFoundException), your code should be aware of the exception but your code should not return error code, instead returing something like normal action or forbiden. (for example in the "JabberIqIq.java" in "tigase.xmpp.impl", you just ignore to respond. I don't see any deference between returing null and throwing exception, because they are special values (similar to before exception erra). I have a second objection, if you are agree to hide this case from plugins(any code in general), it is better to remove the throws UserNotFoundException, because your code never throws this exception and this is inconsistency (I'm not agree with removing this, plugins should know what happended underneath). |
|
|
Thank you for your comments. I will review our suggestion but this change would affect larger part of the code and a general concept of handling such use-cases. Therefore, this is not something I am willing to do in rush. |
|
|
I think I can handle this situation at least with Tigase-server code (If you don't mind) (as I checked about 6-7 files would be changed), the change would be setting the variable null from outside (rather than returning null), that would not have any side effects and behavioural changes. after this change, You can change the general behaviour whenever you want. (I think this change is very beneficial for future codes). [I also think this change wouldn't effects external codes, because they consider "UserNotFoundException" exception works as expected due to method signiture] |
| Type |
Patch
|
| Priority |
Normal
|
| Assignee | |
| RedmineID |
2825
|
| Version |
tigase-server-7.1.0
|
| Estimation |
1h
|
as I was checking the source code of tigase, I find something strange, the code has inconsistencies. for example "getPublicData" in "NonAuthUserRepositoryImpl.java" returns null when the user doesn't exists. I think it can be a more consistant and uniform way for this, for example throwing an exception. beacause if user doesn't exist I can't find out user doesn't exists or default value returned(assume default value = null). there are some kinds of other inconsistencies, for example for "userExists" method of "UserRepository.java" there isn't any TigaseDBException in the exception list, so this method consider database problem as not existing username in implementation, that is not concise.
for the first problem I mentioned, I added a patch to do the correct behaviour.
patch.txt