From 442faccb5ff3802037a8fc11910c596a995f9df2 Mon Sep 17 00:00:00 2001 From: Christian Marck Date: Thu, 23 Mar 2023 07:59:59 +0100 Subject: [PATCH] Avoid NPE in FilterInvocation Handle unknown headers in dummy request wrapper. Closes gh-12998 --- .../security/web/FilterInvocation.java | 7 +++++- .../security/web/FilterInvocationTests.java | 22 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/FilterInvocation.java b/web/src/main/java/org/springframework/security/web/FilterInvocation.java index 2b848fb50e..028502de1e 100644 --- a/web/src/main/java/org/springframework/security/web/FilterInvocation.java +++ b/web/src/main/java/org/springframework/security/web/FilterInvocation.java @@ -26,6 +26,7 @@ import java.lang.reflect.Proxy; import java.util.Collections; import java.util.Enumeration; import java.util.LinkedHashMap; +import java.util.List; import java.util.Map; import javax.servlet.FilterChain; @@ -257,7 +258,11 @@ public class FilterInvocation { @Override public Enumeration getHeaders(String name) { - return Collections.enumeration(this.headers.get(name)); + List headerList = this.headers.get(name); + if (headerList == null) { + return Collections.emptyEnumeration(); + } + return Collections.enumeration(headerList); } @Override diff --git a/web/src/test/java/org/springframework/security/web/FilterInvocationTests.java b/web/src/test/java/org/springframework/security/web/FilterInvocationTests.java index 2d1941f3c8..b616bdfdd1 100644 --- a/web/src/test/java/org/springframework/security/web/FilterInvocationTests.java +++ b/web/src/test/java/org/springframework/security/web/FilterInvocationTests.java @@ -16,6 +16,9 @@ package org.springframework.security.web; +import java.util.Enumeration; +import java.util.NoSuchElementException; + import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -142,4 +145,23 @@ public class FilterInvocationTests { assertThat(filterInvocation.getRequest().getServletContext()).isSameAs(mockServletContext); } + @Test + public void testDummyRequestGetHeaders() { + DummyRequest request = new DummyRequest(); + request.addHeader("known", "val"); + Enumeration headers = request.getHeaders("known"); + assertThat(headers.hasMoreElements()).isTrue(); + assertThat(headers.nextElement()).isEqualTo("val"); + assertThat(headers.hasMoreElements()).isFalse(); + assertThatExceptionOfType(NoSuchElementException.class).isThrownBy(headers::nextElement); + } + + @Test + public void testDummyRequestGetHeadersNull() { + DummyRequest request = new DummyRequest(); + Enumeration headers = request.getHeaders("unknown"); + assertThat(headers.hasMoreElements()).isFalse(); + assertThatExceptionOfType(NoSuchElementException.class).isThrownBy(headers::nextElement); + } + }