Stream: hapi
Topic: ConsentInterceptor can produce NPE in other Interceptors
André-Sebastian Liebe (Jun 26 2020 at 09:55):
Hello all,
I have found a bug in HAPIs Interceptor logic, that produces NullPointerExceptions for other Interceptors when they don't check for null values or missing NULL checks in BinaryStorageInterceptor, ConsentInterceptor and AuthorizationInterceptor
Which one to file?
When Consertservice.willSeeResource(...) for a resource returns a ConsentOutcome.REJECT, ConsentInterceptor.interceptPreShow will null the resource in IPreResourceShowDetails https://github.com/jamesagnew/hapi-fhir/blob/ceeff0ccf067f65ee9b59c492e1d96b4ac8499a5/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/consent/ConsentInterceptor.java#L181
Now IPreResourceShowDetails contains nulls which may cause NPEs on any consecutive Pointcut.STORAGE_PRESHOW_RESOURCES hook, like https://github.com/jamesagnew/hapi-fhir/blob/master/hapi-fhir-jpaserver-base/src/main/java/ca/uhn/fhir/jpa/binstore/BinaryStorageInterceptor.java#L252 or ConsentInterceptor itself, when an other hook nulled a resource earlier.
In the past (up to 4.2.0) I just had my interceptor hook remove any null resources from IPreResourceShowDetails. But now that SimplePreResourceShowDetails changed it's internal myResources from a List https://github.com/jamesagnew/hapi-fhir/blob/v4.2.0/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/api/server/SimplePreResourceShowDetails.java#L32 to an array https://github.com/jamesagnew/hapi-fhir/blob/v5.0.0/hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/api/server/SimplePreResourceShowDetails.java#L37
thats isn't possible any more.
Any suggestions?
André-Sebastian Liebe (Jun 29 2020 at 05:53):
@James Agnew ?
Last updated: Apr 12 2022 at 19:14 UTC
