The file conf/attribute-resolver.xml.tmpl, which is used to generate the attribute-resolver.xml file, contains a number of scripted elements used to resolve attributes (implemented in the Nashorn scripting language, e.g. pseudo-Java). Several of these contain unguarded access to data elements which could throw an exception if given invalid data, causing attribute resolution to crash. There are also some other code optimizations desired. I reviewed all of the scripted elements and the recommended changes are listed below.
In displayNameAndPronouns: fix unguarded access to displayName if that is not defined.
In entitlement_sln: check string length (crs and grp) before performing substring operations at specific indexes.
In entitlement_spss: add a break statement out of the for loop when the matching element is found.
In entitlement_dlt_a: add a break statement out of the for loop when the matching element is found.
In awsrole: check string length (grp) before performing substring operations at specific indexes.
In entitlement_dlt_u: add a break statement out of the for loop when the matching element is found.
In email: fix unguarded access to uwNetID if that is not defined.
mar235av
commented
1 year ago
The file conf/attribute-resolver.xml.tmpl, which is used to generate the attribute-resolver.xml file, contains a number of scripted elements used to resolve attributes (implemented in the Nashorn scripting language, e.g. pseudo-Java). Several of these contain unguarded access to data elements which could throw an exception if given invalid data, causing attribute resolution to crash. There are also some other code optimizations desired. I reviewed all of the scripted elements and the recommended changes are listed below.
In displayNameAndPronouns: fix unguarded access to displayName if that is not defined. In entitlement_sln: check string length (crs and grp) before performing substring operations at specific indexes. In entitlement_spss: add a break statement out of the for loop when the matching element is found. In entitlement_dlt_a: add a break statement out of the for loop when the matching element is found. In awsrole: check string length (grp) before performing substring operations at specific indexes. In entitlement_dlt_u: add a break statement out of the for loop when the matching element is found. In email: fix unguarded access to uwNetID if that is not defined.