Safe comparison of username:password separator position against full string length

dmitryb-asg · dmitryb-asg · commit 2821036d98eb · 2021-11-04T10:28:14.000+02:00
diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java
@@ -137,7 +137,7 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer(WebSocket web
                 for (int i = 0; i < credDecoded.length; i++) {
                   if (credDecoded[i] == ':') {
                     username = new String(Arrays.copyOfRange(credDecoded, 0, i), StandardCharsets.UTF_8);
-                    if (i != credDecoded.length - 1) {
+                    if (i + 1 < credDecoded.length) {
                       password = Arrays.copyOfRange(credDecoded, i + 1, credDecoded.length);
                     }
                     break;

Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,7 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer(WebSocket web`
`137`	`137`	`for (int i = 0; i < credDecoded.length; i++) {`
`138`	`138`	`if (credDecoded[i] == ':') {`
`139`	`139`	`username = new String(Arrays.copyOfRange(credDecoded, 0, i), StandardCharsets.UTF_8);`
`140`		`- if (i != credDecoded.length - 1) {`
	`140`	`+ if (i + 1 < credDecoded.length) {`
`141`	`141`	`password = Arrays.copyOfRange(credDecoded, i + 1, credDecoded.length);`
`142`	`142`	`}`
`143`	`143`	`break;`