NullPointerException from request.getParameter(), only for certain URI values

I'm using AJAX to pass a string from a Javascript application to a Java server page (JSP) for processing. Here's a snippet of the code:

var toSend = new String.builder(); toSend.append('submission=').append(encodeURIComponent(submissionStr)); toSend.append('¤tQNum=<%= currentQNum %>&haveNewResponse=true' + '&evaluate=').append(evaluate); if (!isEmpty(selections)) toSend.append('&selections=').append(selections); if (!isEmpty(rxnIds)) toSend.append('&rxnIds=').append(rxnIds); callAJAX('<%= caller %>', toSend.toString()); function callAJAX(url, toSend, method) { "use strict"; xmlHttp.open('POST', url, true); xmlHttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); // set follow-up method when the server returns the page at URL xmlHttp.onreadystatechange = (!method ? updatePage : method); xmlHttp.setRequestHeader('Accept', 'message/x-jl-formresult'); xmlHttp.send(toSend); } // callAJAX() function updatePage() { if (xmlHttp.readyState === 4) { // ready to continue var responsePage = xmlHttp.responseText; ....

In very rare (I've found two examples so far) but completely reproducible circumstances, certain values of submissionStr cause responseText to come back empty. The log reveals that a NullPointerException is thrown at the second of these two lines from the JSP page:

Utils.alwaysPrint("answerJava.jsp.h: request is ", request == null ? "" : "not ", "null."); /**/ final String prefersJavaParam = request.getParameter("prefersJava");

The log output shows:

INFO: answerJava.jsp.h: request is not null. java.lang.NullPointerException at java.lang.System.arraycopy(Native Method) at com.sun.crypto.provider.GCTR.reset(GCTR.java:125) at com.sun.crypto.provider.GCTR.doFinal(GCTR.java:116) at com.sun.crypto.provider.GaloisCounterMode.doLastBlock(GaloisCounterMode.java:343) at com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:511) at com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1023) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:960) at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:479) at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:830) at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730) at javax.crypto.Cipher.doFinal(Cipher.java:2460) at sun.security.ssl.CipherBox.decrypt(CipherBox.java:535) at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:974) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.tomcat.util.net.SecureNioChannel.read(SecureNioChannel.java:362) at org.apache.tomcat.util.net.NioBlockingSelector.read(NioBlockingSelector.java:159) at org.apache.tomcat.util.net.NioSelectorPool.read(NioSelectorPool.java:229) at org.apache.tomcat.util.net.NioSelectorPool.read(NioSelectorPool.java:210) at org.apache.coyote.http11.InternalNioInputBuffer.readSocket(InternalNioInputBuffer.java:643) at org.apache.coyote.http11.InternalNioInputBuffer.fill(InternalNioInputBuffer.java:945) at org.apache.coyote.http11.InternalNioInputBuffer$SocketInputBuffer.doRead(InternalNioInputBuffer.java:969) at org.apache.coyote.http11.filters.IdentityInputFilter.doRead(IdentityInputFilter.java:116) at org.apache.coyote.http11.InternalNioInputBuffer.doRead(InternalNioInputBuffer.java:916) at org.apache.coyote.Request.doRead(Request.java:427) at org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:304) at org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:419) at org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:327) at org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:193) at org.apache.catalina.connector.Request.readPostBody(Request.java:2683) at org.apache.catalina.connector.Request.parseParameters(Request.java:2636) at org.apache.catalina.connector.Request.getParameter(Request.java:1106) at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:355) at org.apache.jsp.homework.answerframe_jsp._jspService(answerframe_jsp.java:409)

There are a number of features of this problem that are mystifying to me. Why would System.arraycopy() throw a NullPointerException at all, and why would it do it only for very particular values of submissionin the URI? Finally, what can I do to fix the problem?

I'll just sigh about the misuse of JSPs and trudge onwards...

There is no way on Earth that the NPE is caused by that line of code. What makes you think that it is?

Bear Bibeault wrote:There is no way on Earth that the NPE is caused by that line of code. What makes you think that it is?

Well, for one thing the NPE stack trace reports the line in answerframe_jsp.java that throws the exception, and if I look in that file, the reported line is the one I described. For another, if I print to the log immediately before and after that line, the log shows output from before that line, but not after.

at org.apache.jsp.homework.answerframe_jsp._jspService(answerframe_jsp.java:409)

You have checked the Java file for line 409? (Not the JSP file, whose line numbers are meaningless.)

Bear Bibeault wrote:at org.apache.jsp.homework.answerframe_jsp._jspService(answerframe_jsp.java:409)

You have checked the Java file for line 409? (Not the JSP file, whose line numbers are meaningless.)

Yes, answerframe_jsp.java, line 409.

You'll need to provide more context around to code. We'll need to see what's around the failing line (with line numbers would be nice). Providing both the JSP source for the lines as well as the grenade line may help.

And this type of difficult debugging is one of the very many reasons that Java code in JSPs has been obsolete for 15 years. You really shouldn't be writing new JSP pages with scriptlets embedded.

I wouldn't expect the choice of parameters to be causing bugs in internal SSL code, no matter whether it's in a JSP or not. I think there's something else going on here, but knowing very little about SSL implementations I can't even speculate what.

However if this problem could be reproduced at will using specific parameter names and values I would have to change my mind on that. So far I haven't exactly heard that there's a known repro on this thread.

What are the values of toSend that cause the issue?

Print them both in the Javascript on the client as well as use the client browser debug tools to see what the network tab shows as actually being sent.

I'm wondering if something is being garbled somehow.

Next, even if Bear is showing restraint, I have to comment on the munging together of Java stuff inside your Javascript and the use of Java in a JSP page as a whole.
This is poor practice, and seriously dated.
Most of this should be on the server, and the stuff required by the Javascript should be in fields in the HTML...anything than having those snippets there.

This phenomenon is completely reproducible on our installation.
I load a chemical drawing into a third-party program.
I press Submit, and the third-party program creates an XML representation of the drawing.
I use AJAX to send the XML to the server for analysis.
When I load a particular structure into the program and submit it, I get the NullPointerException.
If I change the appearance of the structure somewhat, so that some of the coordinates encoded in the XML change, the submission may go through.
I have found two drawings so far that fail to submit. The one whose XML is below is easier to reproduce than the other one; the other one, I always
have to draw in a very particular way to trigger the NPE, and it's hard to do it right every time.

Here is a value for toSend that induces the NullPointerException. Sorry, it contains no return characters, even before it is encoded.

submission=%3Ccml%3E%3CMDocument%3E%3CMChemicalStruct%3E%3Cmolecule%20molID%3D%22m1%22%3E%3CatomArray%3E%3Catom%20id%3D%22a1%22%20elementType%3D%22C%22%20x2%3D%22-5.6204167902469635%22%20y2%3D%221.311041682958603%22%2F%3E%3Catom%20id%3D%22a2%22%20elementType%3D%22C%22%20x2%3D%22-4.850416790246963%22%20y2%3D%22-0.02263743886943259%22%20formalCharge%3D%221%22%2F%3E%3Catom%20id%3D%22a3%22%20elementType%3D%22C%22%20x2%3D%22-5.620416790246963%22%20y2%3D%22-1.3563165606974683%22%2F%3E%3Catom%20id%3D%22a4%22%20elementType%3D%22N%22%20x2%3D%22-3.310416790246963%22%20y2%3D%22-0.02263743886943259%22%20lonePair%3D%221%22%2F%3E%3Catom%20id%3D%22a5%22%20elementType%3D%22C%22%20x2%3D%22-2.5404167902469625%22%20y2%3D%22-1.356316560697468%22%2F%3E%3Catom%20id%3D%22a6%22%20elementType%3D%22C%22%20x2%3D%22-2.5404167902469625%22%20y2%3D%221.311041682958603%22%2F%3E%3Catom%20id%3D%22a7%22%20elementType%3D%22C%22%20x2%3D%222.5608330285549163%22%20y2%3D%221.2490957797526878%22%2F%3E%3Catom%20id%3D%22a8%22%20elementType%3D%22C%22%20x2%3D%223.330833028554917%22%20y2%3D%22-0.08458334207534768%22%2F%3E%3Catom%20id%3D%22a9%22%20elementType%3D%22C%22%20x2%3D%222.5608330285549172%22%20y2%3D%22-1.4182624639033834%22%2F%3E%3Catom%20id%3D%22a10%22%20elementType%3D%22N%22%20x2%3D%224.870833028554917%22%20y2%3D%22-0.08458334207534768%22%20formalCharge%3D%221%22%2F%3E%3Catom%20id%3D%22a11%22%20elementType%3D%22C%22%20x2%3D%225.640833028554917%22%20y2%3D%22-1.4182624639033832%22%2F%3E%3Catom%20id%3D%22a12%22%20elementType%3D%22C%22%20x2%3D%225.640833028554917%22%20y2%3D%221.2490957797526878%22%2F%3E%3C%2FatomArray%3E%3CbondArray%3E%3Cbond%20atomRefs2%3D%22a1%20a2%22%20order%3D%221%22%20id%3D%22b1%22%2F%3E%3Cbond%20atomRefs2%3D%22a2%20a3%22%20order%3D%221%22%20id%3D%22b2%22%2F%3E%3Cbond%20atomRefs2%3D%22a2%20a4%22%20order%3D%221%22%20id%3D%22b3%22%2F%3E%3Cbond%20atomRefs2%3D%22a4%20a5%22%20order%3D%221%22%20id%3D%22b4%22%2F%3E%3Cbond%20atomRefs2%3D%22a4%20a6%22%20order%3D%221%22%20id%3D%22b5%22%2F%3E%3Cbond%20atomRefs2%3D%22a7%20a8%22%20order%3D%221%22%20id%3D%22b6%22%2F%3E%3Cbond%20atomRefs2%3D%22a8%20a9%22%20order%3D%221%22%20id%3D%22b7%22%2F%3E%3Cbond%20atomRefs2%3D%22a8%20a10%22%20order%3D%222%22%20id%3D%22b8%22%2F%3E%3Cbond%20atomRefs2%3D%22a10%20a11%22%20order%3D%221%22%20id%3D%22b9%22%2F%3E%3Cbond%20atomRefs2%3D%22a10%20a12%22%20order%3D%221%22%20id%3D%22b10%22%2F%3E%3C%2FbondArray%3E%3C%2Fmolecule%3E%3C%2FMChemicalStruct%3E%3CMElectronContainer%20occupation%3D%221%201%22%20radical%3D%220%22%20id%3D%22o1%22%3E%3CMElectron%20atomRefs%3D%22m1.a4%22%20difLoc%3D%220.0%200.0%200.0%22%2F%3E%3CMElectron%20atomRefs%3D%22m1.a4%22%20difLoc%3D%220.0%200.0%200.0%22%2F%3E%3C%2FMElectronContainer%3E%3CMEFlow%20id%3D%22o2%22%20arcAngle%3D%22270%22%20baseElectronContainerIndex%3D%220%22%20baseElectronIndexInContainer%3D%22-1%22%3E%3CMEFlowBasePoint%20atomRef%3D%22m1.a4%22%2F%3E%3CMAtomSetPoint%20atomRefs%3D%22m1.a2%20m1.a4%22%2F%3E%3C%2FMEFlow%3E%3CMRectangle%20lineColor%3D%22%23000000%22%20id%3D%22o3%22%3E%3CMPoint%20x%3D%22-6.8104168474674225%22%20y%3D%22-2.8583332300186157%22%2F%3E%3CMPoint%20x%3D%22-1.2687502205371857%22%20y%3D%22-2.8583332300186157%22%2F%3E%3CMPoint%20x%3D%22-1.2687502205371857%22%20y%3D%222.8583332300186157%22%2F%3E%3CMPoint%20x%3D%22-6.8104168474674225%22%20y%3D%222.8583332300186157%22%2F%3E%3C%2FMRectangle%3E%3CMRectangle%20lineColor%3D%22%23000000%22%20id%3D%22o4%22%3E%3CMPoint%20x%3D%221.2687502205371857%22%20y%3D%22-2.8583332300186157%22%2F%3E%3CMPoint%20x%3D%226.8104168474674225%22%20y%3D%22-2.8583332300186157%22%2F%3E%3CMPoint%20x%3D%226.8104168474674225%22%20y%3D%222.8583332300186157%22%2F%3E%3CMPoint%20x%3D%221.2687502205371857%22%20y%3D%222.8583332300186157%22%2F%3E%3C%2FMRectangle%3E%3CMPolyline%20headLength%3D%220.6%22%20headWidth%3D%220.4%22%20tailLength%3D%220.6%22%20tailWidth%3D%220.4%22%20tailFlags%3D%221%22%20id%3D%22o5%22%3E%3CMPoint%20x%3D%22-1.2687502205371857%22%20y%3D%220%22%2F%3E%3CMRectanglePoint%20rectRef%3D%22o4%22%20pos%3D%227%22%2F%3E%3C%2FMPolyline%3E%3C%2FMDocument%3E%3C%2Fcml%3E¤tQNum=1&haveNewResponse=true&evaluate=true

If I convert all instances of >< to >\n< before encoding and submitting, I don't get the NPE.

There's nothing interesting on the JSP page before the line that triggers the NPE. Here it is:

<%@ page language="java" %> <%@ page errorPage="/errormsgs/errorHandler.jsp" %> <%@ page import=" chemaxon.struc.DPoint3, chemaxon.struc.Molecule, chemaxon.formats.MolImporter, com.epoch.chem.ChemUtils, com.epoch.chem.MolString, com.epoch.db.QSetRW, com.epoch.db.ResponseLogger, com.epoch.evals.EvalResult, com.epoch.evals.impl.chemEvals.MapProperty, com.epoch.exceptions.VerifyException, com.epoch.genericQTypes.*, com.epoch.lewis.LewisMolecule, com.epoch.mechanisms.Mechanism, com.epoch.physics.*, com.epoch.qBank.Figure, com.epoch.qBank.QDatum, com.epoch.qBank.QSetDescr, com.epoch.qBank.Question, com.epoch.substns.SubstnUtils, com.epoch.session.GradeSet, com.epoch.session.HWSession, com.epoch.synthesis.RxnCondition, com.epoch.synthesis.Synthesis, com.epoch.utils.MathUtils, com.epoch.utils.Utils, java.text.NumberFormat, java.util.Arrays, java.util.Date, java.util.List, java.util.Map" %> <%@ include file="/js/edJava.jsp.h" %><% // imports energyDiagrams.* %> <%@ include file="/js/rxnCondsJava.jsp.h" %> <%! public boolean hasData(EvalResult evalResult) { return evalResult != null && evalResult.status != EvalResult.NO_STATUS; } // noData(EvalResult) %> <% response.setHeader("Cache-Control","no-cache, must-revalidate"); //HTTP 1.1 response.setHeader("Pragma","no-cache"); //HTTP 1.0 response.setDateHeader ("Expires", 0); //prevents caching at the proxy server final String pathToRoot = "../"; final int SOLVE = HWSession.SOLVE; final int VIEW = HWSession.VIEW; final int PRACTICE = HWSession.PRACTICE; final int SIMILAR = HWSession.SIMILAR; final int GRADEBOOK_VIEW = HWSession.GRADEBOOK_VIEW; final int PREVIEW = HWSession.PREVIEW; final int TEXTBOOK = HWSession.TEXTBOOK; final int NONE = -1; final char NO_STATUS = EvalResult.NO_STATUS; final char INITIALIZED = EvalResult.INITIALIZED; final char SAVED = EvalResult.SAVED; final char HUMAN_NEEDED = EvalResult.HUMAN_NEEDED; final char EVALUATED = EvalResult.EVALUATED; final int PTS_PER_Q = Assgt.PTS_PER_Q; final int ATTEMPT = Assgt.ATTEMPT; final int TIME = Assgt.TIME; final boolean PAST_TENSE = Assgt.PAST_TENSE; final String VAR = Question.STARS_SIMPLE; final String APPLET_NAME = "responseApplet"; Utils.alwaysPrint("answerJava.jsp.h: about to getParameter()."); final String prefersJavaParam = request.getParameter("prefersJava"); Utils.alwaysPrint("answerJava.jsp.h: did getParameter()."); usesMarvinJS = (prefersJavaParam == null ? !user.prefersJava() : !"true".equals(prefersJavaParam)); if (usesMarvinJS) MRV_EXPORT = MRV_EXPORT.split(":")[0]; // until Marvin JS understands export parameters

The two included pages, edJava.jsp.h and rxnCondsJava.jsp.h:

<%@ page import="com.epoch.energyDiagrams.*" %> <% final int DROP_HERE = 0; final int ADD = 1; final int ORBS_OF_TYPE = 2; final int CLICK_RCD = 3; final int CLICK_OED = 4; final int REFRESH_BUTTON = 5; final int DELETE_BUTTON = 6; final String[] edPhrases = new String[7]; edPhrases[DROP_HERE] = OED.DROP_HERE; edPhrases[ADD] = "Add"; edPhrases[ORBS_OF_TYPE] = "orbital(s) of type"; edPhrases[CLICK_RCD] = "Click on the table to add an energy state. " + "Click <b>•</b> to choose a state to delete, move, or " + "connect to another energy state: click on an empty cell " + "to move the state there, or click <b>•</b> next to " + "a second state to connect them with a line " + "or to remove an existing line between them."; edPhrases[CLICK_OED] = "Click <b>•</b> to choose a group of orbitals " + "to delete, move, or connect to another group: " + "click on an empty cell to move the group there, or click " + "<b>•</b> next to a second group to connect them with a " + "line or to remove an existing line between them."; edPhrases[REFRESH_BUTTON] = "Refresh"; edPhrases[DELETE_BUTTON] = "Delete"; %> <!-- vim:filetype=jsp --> <% final int CLICK_RXN = 0; final int INSERT_HERE = 1; final int ADD_1ST = 2; final int RXN_CONDN = 3; final int REMOVE = 4; final int AFTER_HERE = 5; final String[] rcPhrases = new String[6]; rcPhrases[CLICK_RXN] = "Click on a reaction condition's name to change it."; rcPhrases[INSERT_HERE] = "Insert here"; rcPhrases[ADD_1ST] = "Add first reaction condition"; rcPhrases[RXN_CONDN] = "Reaction condition"; rcPhrases[REMOVE] = "Remove"; rcPhrases[AFTER_HERE] = "Insert after here"; // vim:filetype=jsp %>

When the bug is not triggered, the log says:

INFO: answerJava.jsp.h: about to getParameter().
answerJava.jsp.h: did getParameter().

When the bug is triggered, the log says:

INFO: answerJava.jsp.h: about to getParameter().
java.lang.NullPointerException

I did not experience this problem until we moved to a new, Javascript-based, structure-drawing program. The previous one was a Java applet,
and you probably know more horror stories than I do about Java applets. One difference between the previous and the current structure-drawing
programs is that the current one does not put return characters after each XML element, whereas the previous one did. If I add return
characters to the XML above that causes the NPE, I do not get an NPE. But that doesn't mean that I would never get an NPE with some
different XML that did contain return characters.

Finally, I appreciate your disparagement of the code, but I am not writing it from scratch, and it does indeed date back about 15 years.
I recognize that it could be written more efficiently and in a more maintenance-friendly manner, but I am not in a position to rewrite it.
I am just trying to figure out why on very rare occasions, the code fails.

Bob Grossman wrote:If I convert all instances of >< to >\n< before encoding and submitting, I don't get the NPE.

I think the forum software has changed what you entered, because of the markup characters around it. Would you like to clarify?

Also it seems to me that data that large is often sent via the POST method rather than the GET method, because a lot of systems have limits (not necessarily well-documented) to the length of a GET URL they can handle. I don't know if that's a change you can make or not. Using POST would eliminate the requirement for URL-encoding, too.

I don't think the forum changed what I wrote. In XML without return characters, there are many instances of ><, that is, a greater than sign to close one element, and a less than sign to open the next element. I can insert a return character after each element by doing a global replacement of >< with >\n<, like this:

submissionStr = submissionStr.replace(/></g, '>\n<');

And when I do that, the new string does not trigger the NPE. As I said, this is a bizarre bug. Seemingly trivial changes in the URI make a difference in whether the NPE is triggered.

As for GET vs. POST, we already use POST. See line 11 of the first block of code in my very first post in this topic.

Hi Bob,

Paul suggested using POST rather than GET, so that you don't need to encode your url encoding.
Your response was that you were using POST - which you are. The parameters are sent via xmlHttp.send() on line 16.

So that would suggest you don't need to have the call to encodeURIComponent on line 2 of your source. Maybe that might be a source of trouble?
If the send method will encode your parameters for you, then encoding things twice might be a potential issue :-)


My suggestion - try and take the JSP part out of the equation.
Refactor the JSP expressions out of this javascript fragment into variables that you use in the javascript.
Can you reproduce this issue with 'hard-coded' values?
That will mean you can then unit test just the javascript section without needing to actually run it as a JSP.


cheers,
Stefan

I just have two comments to make:

First, you seem to have a workaround which prevents the NPEs from occurring, so maybe you should just go with that.

Second, no matter how malformed an HTML request might be it still shouldn't cause errors in the SSL layer of the server code. So my feeling is that either there's an error in the way Tomcat sets up its connection via SSL, or there's an error in Oracle's SSL code. I would lean towards the latter but only slightly; however if there errors in SSL processing there could be security exploits associated with that error. I'd look into that more closely, for example maybe there's something not quite right about the security certificate you're using to support SSL. Or something like that. Details of just what you should look into are beyond my competence and I'd suggest getting somebody experienced in security to review the situation.

Paul Clapham wrote:
First, you seem to have a workaround which prevents the NPEs from occurring, so maybe you should just go with that.

I would agree, except that because I have no idea what is triggering the error, the workaround may work for this response, but then cause another response that would ordinarily go through, not to go through! So I'm not happy with my workaround.

Stefan Evans wrote:Hi Bob,

Paul suggested using POST rather than GET, so that you don't need to encode your url encoding.
Your response was that you were using POST - which you are. The parameters are sent via xmlHttp.send() on line 16.

So that would suggest you don't need to have the call to encodeURIComponent on line 2 of your source. Maybe that might be a source of trouble?
If the send method will encode your parameters for you, then encoding things twice might be a potential issue :-)

Thanks for your suggestion. I don't see how I can forego encoding. The response that I am sending definitely contains = symbols and may contain & symbols; if I don't encode it, I imagine that the server will try to split up the one parameter into multiple ones, won't it? As a simplified example, if I want to send the value "a&b=c" for parameter p, and I don't encode, I'll be sending "p=a&b=c". and won't the server interpret that as parameter p having a value of "a" and parameter b having a value of "c"?

As fo the rest of your suggestion, I don't understand what I would learn from your suggestion. I know exactly where the NPE occurs, and it doesn't have anything to do with the Javascript.

For those of you following this thread: We recently switched from http to https. Under https, the browser and server use certain SSL cipher protocols to communicate. Apparently, there's a bug associated with the AES ciphers. Changing the server configuration to remove AES/GCM from the list of acceptable ciphers eliminated the problem.

We also found that among the Mac browsers, although Safari and Chrome chose the AES protocol if it was available, and thereby manifested the bug, Firefox did not.

I still don't know what property of a URI causes the AES bug to manifest, but I guess I don't need to know anymore.

Thanks for your willingness to help.