RM-5346: Null pointers should not be dereferenced

2025-07-31 17:39:05 +00:00 · 2017-06-27 16:35:51 +01:00
parent e75accfeeb
commit 2220fd889e
3 changed files with 21 additions and 2 deletions
--- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMAfterInvocationProvider.java
+++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMAfterInvocationProvider.java
@@ -37,6 +37,7 @@ import java.util.Map;
 import java.util.Set;
 import java.util.StringTokenizer;

+import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
 import org.alfresco.repo.search.SimpleResultSetMetaData;
 import org.alfresco.repo.search.impl.lucene.PagingLuceneResultSet;
@@ -172,7 +173,12 @@ public class RMAfterInvocationProvider extends RMSecurityCommon
            }
            else if (StoreRef.class.isAssignableFrom(returnedObject.getClass()))
            {
-                return decide(authentication, object, config, nodeService.getRootNode((StoreRef) returnedObject)).getStoreRef();
+                NodeRef rootNodeRef = decide(authentication, object, config, nodeService.getRootNode((StoreRef) returnedObject));
+                if (rootNodeRef == null)
+                {
+                    throw new AlfrescoRuntimeException("Root node reference of '" + returnedObject + "' is null.");
+                }
+                return rootNodeRef.getStoreRef();
            }
            else if (NodeRef.class.isAssignableFrom(returnedObject.getClass()))
            {
@@ -208,7 +214,7 @@ public class RMAfterInvocationProvider extends RMSecurityCommon
            }
            else
            {
-                if (logger.isDebugEnabled())
+                if (logger.isDebugEnabled() && object.getClass() != null)
                {
                    logger.debug("Uncontrolled object - access allowed for " + object.getClass().getName());
                }
--- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/ApplyDodCertModelFixesGet.java
+++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/ApplyDodCertModelFixesGet.java
@@ -105,6 +105,15 @@ public class ApplyDodCertModelFixesGet extends DeclarativeWebScript
        }

        M2Model customModel = readCustomContentModel();
+        if (customModel == null)
+        {
+            final String msg = "Custom content model could not be read";
+            if (logger.isErrorEnabled())
+            {
+                logger.error(msg);
+            }
+            throw new AlfrescoRuntimeException(msg);
+        }

        String customAspectName = ASPECT_CUSTOM_ASSOCIATIONS.toPrefixString(namespaceService);
        M2Aspect customAssocsAspect = customModel.getAspect(customAspectName);
--- a/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/ApplyFixMob1573Get.java
+++ b/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/ApplyFixMob1573Get.java
@@ -83,6 +83,10 @@ public class ApplyFixMob1573Get extends DeclarativeWebScript
    public Map<String, Object> executeImpl(WebScriptRequest req, Status status, Cache cache)
    {
        M2Model customModel = readCustomContentModel();
+        if (customModel == null)
+        {
+            throw new AlfrescoRuntimeException("Custom content model could not be read");
+        }

        // Go through every custom reference defined in the custom model and make sure that it
        // has many-to-many multiplicity