Guard NSStrings

purejava · purejava · commit e763b3aec6e9 · 2025-07-16T18:57:55.000+02:00
Fixes cryptomator/cryptomator#3932
diff --git a/src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m b/src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m
@@ -26,41 +26,50 @@ JNIEXPORT jint JNICALL Java_org_cryptomator_macos_keychain_MacKeychain_00024Nati
 	jbyte *pwStr = (*env)->GetByteArrayElements(env, password, NULL);
 	jsize length = (*env)->GetArrayLength(env, password);
 
-	// find existing:
-	NSMutableDictionary *query = [@{
-		(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-		(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
-		(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
-		(__bridge id)kSecReturnAttributes: @YES,
-		(__bridge id)kSecReturnData: @YES,
-		(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
-	} mutableCopy];
-	if (requireOsAuthentication) {
-		LAContext *context = getSharedLAContext();
-		query[(__bridge id)kSecUseAuthenticationContext] = context;
-	}
-	CFDictionaryRef result = NULL;
-	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
-	if (status == errSecSuccess && result != NULL) {
-		// update existing:
-		NSDictionary *attributesToUpdate = @{
-			(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
-		};
-		status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)attributesToUpdate);
-	} else if (status == errSecItemNotFound) {
-		// add new:
-		NSMutableDictionary *attributes = [@{
+	NSString *serviceString = [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding];
+	NSString *keyString = [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding];
+
+	OSStatus status = errSecParam;
+
+	if (serviceString && keyString) { // guard both NSStrings not to be NIL
+		// find existing:
+		NSMutableDictionary *query = [@{
 			(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-			(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
-			(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
-			(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
+			(__bridge id)kSecAttrService: serviceString,
+			(__bridge id)kSecAttrAccount: keyString,
+			(__bridge id)kSecReturnAttributes: @YES,
+			(__bridge id)kSecReturnData: @YES,
+			(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne
 		} mutableCopy];
 		if (requireOsAuthentication) {
-			attributes[(__bridge id)kSecAttrAccessControl] = (__bridge_transfer id)SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlocked, kSecAccessControlUserPresence, NULL);
+			LAContext *context = getSharedLAContext();
+			query[(__bridge id)kSecUseAuthenticationContext] = context;
+		}
+		CFDictionaryRef result = NULL;
+		status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
+		if (status == errSecSuccess && result != NULL) {
+			// update existing:
+			NSDictionary *attributesToUpdate = @{
+				(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
+			};
+			status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)attributesToUpdate);
+		} else if (status == errSecItemNotFound) {
+			// add new:
+			NSMutableDictionary *attributes = [@{
+				(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+				(__bridge id)kSecAttrService: serviceString,
+				(__bridge id)kSecAttrAccount: keyString,
+				(__bridge id)kSecValueData: [NSData dataWithBytes:pwStr length:length]
+			} mutableCopy];
+			if (requireOsAuthentication) {
+				attributes[(__bridge id)kSecAttrAccessControl] = (__bridge_transfer id)SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlocked, kSecAccessControlUserPresence, NULL);
+			}
+			status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
+		} else {
+			NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
 		}
-		status = SecItemAdd((__bridge CFDictionaryRef)attributes, NULL);
 	} else {
-		NSLog(@"Error storing item in keychain. Status code: %d", (int)status);
+		NSLog(@"Invalid UTF-8 input: service or key string conversion failed");
 	}
 
 	(*env)->ReleaseByteArrayElements(env, service, serviceStr, JNI_ABORT);
@@ -73,28 +82,36 @@ JNIEXPORT jbyteArray JNICALL Java_org_cryptomator_macos_keychain_MacKeychain_000
 	jbyte *serviceStr = (*env)->GetByteArrayElements(env, service, NULL);
 	jbyte *keyStr = (*env)->GetByteArrayElements(env, key, NULL);
 
-	// find existing:
-	LAContext *context = getSharedLAContext();
-	NSDictionary *query = @{
-		(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-		(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
-		(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
-		(__bridge id)kSecReturnAttributes: @YES,
-		(__bridge id)kSecReturnData: @YES,
-		(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne,
-		(__bridge id)kSecUseAuthenticationContext: context
-	};
-	CFDictionaryRef result = NULL;
-	OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
+	NSString *serviceString = [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding];
+	NSString *keyString = [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding];
+
 	jbyteArray password = NULL;
-	if (status == errSecSuccess && result != NULL) {
-		// retrieve password:
-		NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
-		NSData *passwordData = attributes[(__bridge id)kSecValueData];
-		password = (*env)->NewByteArray(env, (int)passwordData.length);
-		(*env)->SetByteArrayRegion(env, password, 0, (int)passwordData.length, (jbyte *)passwordData.bytes);
-	} else if (status != errSecItemNotFound) {
-		NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
+
+	if (serviceString && keyString) { // guard both NSStrings not to be NIL
+		// find existing:
+		LAContext *context = getSharedLAContext();
+		NSDictionary *query = @{
+			(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+			(__bridge id)kSecAttrService: serviceString,
+			(__bridge id)kSecAttrAccount: keyString,
+			(__bridge id)kSecReturnAttributes: @YES,
+			(__bridge id)kSecReturnData: @YES,
+			(__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne,
+			(__bridge id)kSecUseAuthenticationContext: context
+		};
+		CFDictionaryRef result = NULL;
+		OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result);
+		if (status == errSecSuccess && result != NULL) {
+			// retrieve password:
+			NSDictionary *attributes = (__bridge_transfer NSDictionary *)result;
+			NSData *passwordData = attributes[(__bridge id)kSecValueData];
+			password = (*env)->NewByteArray(env, (int)passwordData.length);
+			(*env)->SetByteArrayRegion(env, password, 0, (int)passwordData.length, (jbyte *)passwordData.bytes);
+		} else if (status != errSecItemNotFound) {
+			NSLog(@"Error retrieving item from keychain. Status code: %d", (int)status);
+		}
+	} else {
+		NSLog(@"Invalid UTF-8 input: service or key string conversion failed");
 	}
 
 	(*env)->ReleaseByteArrayElements(env, service, serviceStr, JNI_ABORT);
@@ -106,17 +123,26 @@ JNIEXPORT jint JNICALL Java_org_cryptomator_macos_keychain_MacKeychain_00024Nati
 	jbyte *serviceStr = (*env)->GetByteArrayElements(env, service, NULL);
 	jbyte *keyStr = (*env)->GetByteArrayElements(env, key, NULL);
 
-	// find existing:
-	LAContext *context = getSharedLAContext();
-	NSDictionary *query = @{
-		(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
-		(__bridge id)kSecAttrService: [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding],
-		(__bridge id)kSecAttrAccount: [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding],
-		(__bridge id)kSecUseAuthenticationContext: context
-	};
-	OSStatus status = SecItemDelete((__bridge CFDictionaryRef)query);
-	if (status != errSecSuccess) {
-		NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
+	NSString *serviceString = [NSString stringWithCString:(char *)serviceStr encoding:NSUTF8StringEncoding];
+	NSString *keyString = [NSString stringWithCString:(char *)keyStr encoding:NSUTF8StringEncoding];
+
+	OSStatus status = errSecParam;
+
+	if (serviceString && keyString) { // guard both NSStrings not to be NIL
+		// find existing:
+		LAContext *context = getSharedLAContext();
+		NSDictionary *query = @{
+			(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
+			(__bridge id)kSecAttrService: serviceString,
+			(__bridge id)kSecAttrAccount: keyString,
+			(__bridge id)kSecUseAuthenticationContext: context
+		};
+		status = SecItemDelete((__bridge CFDictionaryRef)query);
+		if (status != errSecSuccess) {
+			NSLog(@"Error deleting item from keychain. Status code: %d", (int)status);
+		}
+	} else {
+		NSLog(@"Invalid UTF-8 input: service or key string conversion failed");
 	}
 
 	(*env)->ReleaseByteArrayElements(env, service, serviceStr, JNI_ABORT);
