Added uncleared password warning

The Password class has been modified to store the location where it was created initially. If the Password object is garbage collected without being cleared first, it will display a warning message showing the location of the offending code.
Dessa · Jul 19, 2019 · b201d95 · b201d95
1 parent d634b1e
commit b201d95
Showing 1 changed file with 34 additions and 3 deletions.
diff --git a/org/mozilla/jss/util/Password.java b/org/mozilla/jss/util/Password.java
@@ -6,6 +6,8 @@
 
 import java.io.CharConversionException;
 import java.io.Console;
+import java.io.PrintWriter;
+import java.io.StringWriter;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -25,6 +27,9 @@ public class Password implements PasswordCallback, Cloneable,
 
     public static Logger logger = LoggerFactory.getLogger(Password.class);
 
+    // store the location where the Password object was created
+    private StackTraceElement[] stackTrace = new Throwable().getStackTrace();
+
     /**
      * Don't use this if you aren't Password.
      */
@@ -172,10 +177,36 @@ public synchronized Object clone() {
      */
     @Deprecated
     protected void finalize() throws Throwable {
-        if(!cleared) {
-            logger.warn("Password was garbage collected before it was cleared.");
-        }
+
+        if (cleared) return;
+
+        // clear the password first
         clear();
+
+        StringWriter sw = new StringWriter();
+        PrintWriter out = new PrintWriter(sw, true);
+        int i = 0;
+
+        // show where the password was created
+        for (; i < stackTrace.length; i++) {
+            StackTraceElement ste = stackTrace[i];
+            String className = ste.getClassName();
+            if (Password.class.getName().equals(className)) continue;
+
+            out.println("Uncleared Password object created at " + ste);
+            i++;
+            break;
+        }
+
+        // show who called the code
+        for (; i < stackTrace.length; i++) {
+            StackTraceElement ste = stackTrace[i];
+            out.println("        called by " + ste);
+        }
+
+        out.println("Please report the above trace to your software vendors.");
+
+        logger.warn(sw.toString());
     }
 
 	/**