Add Null Protection on Log / Logger

[swathikumar4precisely]

Jetty version - 9.4.36 and above

Java version - 1.8

OS type/version - Linux/Windows

Description

Hi Team,

To address potential security issue, in our product we are trying to upgrade from v9.4.26 to v9.4.36.
When we replaced the jars and bounced our application, our application does come up fine - however, upon accessing the dashboard/home page of our application, we get NullPointerException. We also tested by upgrading to v9.4.39 and the same issue exists there as well.

Please note, we are not having this issue with the current jetty version we have in our product - v9.4.26.

Attaching the file with the full stack here.

We suspect it is a framework change in 9.4.36 and above - can you please review this stack and help us resolve this issue?

HTTP ERROR 500 java.lang.NullPointerException
URI:	/dashboard/
STATUS:	500
MESSAGE:	java.lang.NullPointerException
SERVLET:	default
CAUSED BY:	java.lang.NullPointerException
Caused by:
java.lang.NullPointerException
	at org.eclipse.jetty.http.HttpCookie.getSameSiteDefault(HttpCookie.java:477)
	at org.eclipse.jetty.server.Response.checkSameSite(Response.java:220)
	at org.eclipse.jetty.server.Response.addCookie(Response.java:201)
	at org.eclipse.jetty.server.Response.replaceCookie(Response.java:283)
	at org.eclipse.jetty.server.Request.getSession(Request.java:1634)
	at org.eclipse.jetty.server.Request.getSession(Request.java:1602)
	at com.sterlingcommerce.security.dv.web.SCUIWebValidationUtils.bypassRequestValidation(SCUIWebValidationUtils.java:281)
	at com.sterlingcommerce.security.dv.web.SCUISafeRequestFilter.doFilter(SCUISafeRequestFilter.java:41)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at com.sterlingcommerce.woodstock.ui.SecurityExtensionFilter.doFilter(SecurityExtensionFilter.java:238)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
	at org.eclipse.jetty.server.HttpChannel$$Lambda$93/00000000F0012540.dispatch(Unknown Source)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:135)
	at org.eclipse.jetty.io.ManagedSelector$$Lambda$84/00000000EC710D60.run(Unknown Source)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
	at java.lang.Thread.run(Thread.java:822)

[swathikumar4precisely]

Please do let me know if you need to review our product code.

Regards
Swathi BN

[joakime]

This is surprising, and would be happening to millions of jetty installations, as it's a highly used code path.

Line 477 in your stacktrace doesn't line up with anything that should ever be null.

https://github.com/eclipse/jetty.project/blob/jetty-9.4.36.v20210114/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java#L477

https://github.com/eclipse/jetty.project/blob/238ec6997c7806b055319a6d11f8ae7564adc0de/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCookie.java#L470-L480

Do you have some kind of custom logging going on in your environment?

Also note, that 9.4.40 was just released.
https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.40.v20210413

[swathikumar4precisely]

Hi Joakime - apologies for not getting back to you on this one.
You were spot on in identifying the issue - yes , I had turned the jetty debug on through JDK parameters and upon reading your inputs, I removed the debug parameters and can no longer see the NPE.

Many thanks for your quick response in getting this issue resolved.

Regards
Swathi BN