Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue() #33609
Description
Summary
In your repository (MAVENorg.springframework:spring-web @ 6.1.12), we have found a bug that may require your attention.
In file: AbstractNamedValueArgumentResolver.java, class: KotlinDelegate, method: hasDefaultValue, there is a potential Null pointer dereference at:
In other places of the code (e.g.,
getMethod method was checked for null value. But if we put it directly inside Objects.requireNonNull, we may have an exception.
A potential fix will be to replace the following line
Method method = Objects.requireNonNull(parameter.getMethod());with
Method method = parameter.getMethod();
if (method == null) {
return false;
}Another option could be to use Objects.requireNonNullElse.
Sponsorship and Support
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.
The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.