oscarngncc
commented
4 years ago "The issue reporter must be able to provide a test case to trigger the issue".
Perhaps can you provide an example that creates visible exceptions due to this issue? Thanks
Open chanhyeok95 opened 4 years ago
oscarngncc
commented
4 years ago "The issue reporter must be able to provide a test case to trigger the issue".
Perhaps can you provide an example that creates visible exceptions due to this issue? Thanks
chanhyeok95
commented
4 years ago @oscarngncc,
Since it is related to a memory leakage issue, unfortunately I am not be able to produce a test case that can trigger this issue. As I mentioned, I regarded this issue as a bug since TA did so. You can leave this issue as it is now, and @comp4111ta can help decide on this issue.
FYI, I have attached a few links that talk about this issue (just for reference only) https://stackoverflow.com/questions/2225221/closing-database-connections-in-java https://stackoverflow.com/questions/880885/is-closing-the-mysql-connection-important
oscarngncc
commented
4 years ago I would consider this as an internal server or a performance issue at most, since the server failed to free up the resource by closing connection after executing the query. The links you provide, while inspiring, doesn't really explain what external security exploit can be abused through this method. Plus, a test case is still needed, imo.
Thanks for the reminder though in having better practice.
chanhyeok95
commented
4 years ago @oscarngncc,
Thanks for your feedback. In my humble opinion, I think it is developer's responsibility to ensure that the server does free up the resources after usage, so the server would not crash due to memory leakage. Also, I think a bug does not need to be something that exploits the security of a program as there can be many kinds of bug. Once again, I only regarded this as an issue because our team had a conversation about this issue with TA's during the previous bug bounty program, and it was regarded as a bug verified by TA.
Since it seems like we do not come to a consensus on this issue, let's seek help from @comp4111ta . I honestly do not know how to make a test case for this type of bug at the moment, so if TA says it is necessary to come up with one, I will try to do so. Thanks.
Bug Kind: Resource Leakage How to reproduce bug: Run any logic that has connection to DB (Methods in
SqlHelpers.javaAll the connections and statement to DB should be closed explicitly after usage, as it can potentially lead to memory leakage problem if not closed explicitly. I only see that the ResultSet is being closed, not connection and statement.
I have regarded this issue as a bug because TA's regarded this issue as a bug.