Fix NPE when application password response is missing password or UUID#22952
Merged
adalpari merged 3 commits intoJun 11, 2026
Conversation
Collaborator
Generated by 🚫 Danger |
The Gson-deserialized ApplicationPasswordCreationResponse declared its fields as non-null, but Gson populates objects via reflection and bypasses Kotlin's null checks. When the API returns a 200 response missing the `password` or `uuid` field, those nulls flowed into the non-null ApplicationPasswordCreationPayload constructor, crashing the app (in the minified release build the parameter null-check compiles to a bare getClass() call, producing the reported NPE). Make the response fields nullable and validate them, returning the existing error payload instead of crashing. Applied to both the Jetpack and WP-API clients, which share the response type. Crash report: https://a8c.sentry.io/issues/7522022287/ Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
adalpari
force-pushed
the
fix/application-password-null-fields-crash
branch
from
dda20c6 to
0da0911
Compare
Contributor
|
|
Contributor
|
|
Contributor
🤖 Build Failure AnalysisThis build has failures. Claude has analyzed them - check the build annotations for details. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/26.8 #22952 +/- ##
================================================
+ Coverage 37.34% 37.38% +0.03%
================================================
Files 2320 2320
Lines 124714 124718 +4
Branches 16959 16963 +4
================================================
+ Hits 46580 46631 +51
+ Misses 74370 74323 -47
Partials 3764 3764 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
crazytonyli
pushed a commit
that referenced
this pull request
Jun 12, 2026
#22952) The Gson-deserialized ApplicationPasswordCreationResponse declared its fields as non-null, but Gson populates objects via reflection and bypasses Kotlin's null checks. When the API returns a 200 response missing the `password` or `uuid` field, those nulls flowed into the non-null ApplicationPasswordCreationPayload constructor, crashing the app (in the minified release build the parameter null-check compiles to a bare getClass() call, producing the reported NPE). Make the response fields nullable and validate them, returning the existing error payload instead of crashing. Applied to both the Jetpack and WP-API clients, which share the response type. Crash report: https://a8c.sentry.io/issues/7522022287/ Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
crazytonyli
added a commit
that referenced
this pull request
Jun 15, 2026
* Fix NPE in Site Settings when refreshing GBKit toggle with null site (#22953) The refresh runs from an async onSettingsUpdated callback that only guards with isAdded(), so mSite can be null when isBlockEditorDefault — a non-null Kotlin param — is invoked, crashing on the generated null check. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Fix Sentry 3GCQ/3GDH: keep Gson-deserialized models from R8 full mode (#22954) * Fix Sentry WORDPRESS-ANDROID-3GCQ, WORDPRESS-ANDROID-3GDH: keep recommend models from R8 AGP 9's R8 full mode (introduced in 26.8) was transforming RecommendApiCallsProvider$RecommendTemplateData, causing InstantiationException and ClassCastException when Gson tried to deserialize the /mobile/share-app-link response. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Keep additional Gson-deserialized models from R8 Audit of fromJson<T> call sites surfaced more Kotlin data classes that AGP 9's R8 full mode could class-merge or strip the same way it did to RecommendTemplateData. Adds -keep rules for: - InviteLinksApiCallsProvider.InviteLinksItem - ReaderReadingPreferences (incl. Theme/FontFamily/FontSize enums) - SubfilterListItemMapper.MappedSubfilterListItem - StatsCardsConfiguration + StatsCardType - SubscribersCardsConfiguration + SubscribersCardType - InsightsCardsConfigurationRepository.PersistedConfig + InsightsCardType These have not yet appeared in Sentry for 26.8-rc-5, but the rc-5 user base is small and the affected paths (Reader startup, new stats screens, invite links) are high-traffic enough that they would likely surface in Beta/GA. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix NPE when application password response is missing password or UUID (#22952) The Gson-deserialized ApplicationPasswordCreationResponse declared its fields as non-null, but Gson populates objects via reflection and bypasses Kotlin's null checks. When the API returns a 200 response missing the `password` or `uuid` field, those nulls flowed into the non-null ApplicationPasswordCreationPayload constructor, crashing the app (in the minified release build the parameter null-check compiles to a bare getClass() call, producing the reported NPE). Make the response fields nullable and validate them, returning the existing error payload instead of crashing. Applied to both the Jetpack and WP-API clients, which share the response type. Crash report: https://a8c.sentry.io/issues/7522022287/ Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Update translations * Update WordPress metadata translations for 26.8 * Update Jetpack metadata translations for 26.8 * Bump version number * Update translations * Bump version number --------- Co-authored-by: Adalberto Plaza <adalpari@gmail.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: Nick Bradbury <nbradbury@users.noreply.github.com> Co-authored-by: Automattic Release Bot <mobile+wpmobilebot@automattic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes a crash when the WordPress.com / WP-API application password endpoint returns a
200response that is missing thepasswordoruuidfield.ApplicationPasswordCreationResponsedeclared its fields as non-null, but Gson populates objects via reflection and bypasses Kotlin's null-safety. When the field is absent/null in the JSON, the value flowed into the non-nullApplicationPasswordCreationPayloadconstructor and threw an NPE. In the minified release build the parameter null-check compiles to a baregetClass()call, which is exactly the reported crash signature.Fix
uuid,name, andpasswordonApplicationPasswordCreationResponsenullable to match what Gson can actually produce.passwordoruuidis missing, return the existing error payload ("Password or UUID missing from response") instead of crashing. The result propagates as a normalApplicationPasswordCreationResult.Failure— the same path used for other creation errors.JetpackApplicationPasswordsRestClient(where the crash was reported) andWPApiApplicationPasswordsRestClient, which share the response type.Tests
Added unit tests for both clients covering: valid response, null password, null uuid, null body, and network error.
Crash report
https://a8c.sentry.io/issues/7522022287/?environment=prod&environment=release&project=5731682&query=release%3A%22com.jetpack.android%4026.8-rc-5%2B1493%22&referrer=release-issue-stream
Reported on
com.jetpack.android@26.8-rc-5+1493.🤖 Generated with Claude Code