Add NPE Guards

- Like values, names are only validated if they are not null

Closes gh-9598
This commit is contained in:
Josh Cummings 2021-04-22 11:17:25 -06:00
parent 6725b1324a
commit 2c625f30e0
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 62 additions and 8 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright 2012-2020 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -610,19 +610,25 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override
public long getDateHeader(String name) {
if (name != null) {
validateAllowedHeaderName(name);
}
return super.getDateHeader(name);
}
@Override
public int getIntHeader(String name) {
if (name != null) {
validateAllowedHeaderName(name);
}
return super.getIntHeader(name);
}
@Override
public String getHeader(String name) {
if (name != null) {
validateAllowedHeaderName(name);
}
String value = super.getHeader(name);
if (value != null) {
validateAllowedHeaderValue(value);
@ -632,7 +638,9 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override
public Enumeration<String> getHeaders(String name) {
if (name != null) {
validateAllowedHeaderName(name);
}
Enumeration<String> headers = super.getHeaders(name);
return new Enumeration<String>() {
@ -673,7 +681,9 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override
public String getParameter(String name) {
if (name != null) {
validateAllowedParameterName(name);
}
String value = super.getParameter(name);
if (value != null) {
validateAllowedParameterValue(value);
@ -717,7 +727,9 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override
public String[] getParameterValues(String name) {
if (name != null) {
validateAllowedParameterName(name);
}
String[] values = super.getParameterValues(name);
if (values != null) {
for (String value : values) {

View File

@ -1,5 +1,5 @@
/*
* Copyright 2012-2020 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -26,6 +26,7 @@ import org.junit.Test;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockHttpServletRequest;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
/**
@ -690,4 +691,45 @@ public class StrictHttpFirewallTests {
.isThrownBy(() -> request.getParameterValues("bad name"));
}
// gh-9598
@Test
public void getFirewalledRequestGetParameterWhenNameIsNullThenIllegalArgumentException() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> request.getParameter(null));
}
// gh-9598
@Test
public void getFirewalledRequestGetParameterValuesWhenNameIsNullThenIllegalArgumentException() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> request.getParameterValues(null));
}
// gh-9598
@Test
public void getFirewalledRequestGetHeaderWhenNameIsNullThenNull() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getHeader(null)).isNull();
}
// gh-9598
@Test
public void getFirewalledRequestGetHeadersWhenNameIsNullThenEmptyEnumeration() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getHeaders(null).hasMoreElements()).isFalse();
}
// gh-9598
@Test
public void getFirewalledRequestGetIntHeaderWhenNameIsNullThenNegativeOne() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getIntHeader(null)).isEqualTo(-1);
}
@Test
public void getFirewalledRequestGetDateHeaderWhenNameIsNullThenNegativeOne() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getDateHeader(null)).isEqualTo(-1);
}
}