Fix sensitive case in JwtTypeValidator

Closes gh-18092 Signed-off-by: namest504 <namest504@gmail.com>
2025-11-10 11:39:02 +00:00 · 2025-10-24 15:49:10 +09:00 · 2025-10-24 15:49:10 +09:00 · 6501e97ece
commit 6501e97ece
parent f548aaf5c5
2 changed files with 12 additions and 2 deletions
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java
@ -72,9 +72,11 @@ public final class JwtTypeValidator implements OAuth2TokenValidator<Jwt> {
 		if (this.allowEmpty && !StringUtils.hasText(typ)) {
 			return OAuth2TokenValidatorResult.success();
 		}
-		if (this.validTypes.contains(typ)) {
+		for (String validType : this.validTypes) {
 			if (validType.equalsIgnoreCase(typ)) {
 				return OAuth2TokenValidatorResult.success();
 			}
 		}
 		return OAuth2TokenValidatorResult.failure(new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,
 				"the given typ value needs to be one of " + this.validTypes,
 				"https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9"));
--- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java
+++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java
@ -44,4 +44,12 @@ class JwtTypeValidatorTests {
 		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
 	}
 	@Test
 	void validateWhenTypHeaderHasDifferentCaseThenSuccess() {
 		Jwt.Builder jwt = TestJwts.jwt();
 		JwtTypeValidator validator = new JwtTypeValidator("at+jwt");
 		jwt.header(JoseHeaderNames.TYP, "AT+JWT");
 		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
 	}
 }