Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish 

- Add Reactive equivalent
- Update copyright

Issue gh-13310
This commit is contained in:
Josh Cummings 2023-08-07 15:49:52 -06:00
parent e21da061d3
commit 82c0ddc56d
4 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

7
web/src/main/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandler.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -88,7 +88,7 @@ public final class XorServerCsrfTokenRequestAttributeHandler extends ServerCsrfT
System.arraycopy(actualBytes, randomBytesSize, xoredCsrf, 0, tokenSize);
byte[] csrfBytes = xorCsrf(randomBytes, xoredCsrf);
return Utf8.decode(csrfBytes);
return (csrfBytes != null) ? Utf8.decode(csrfBytes) : null;
}
private static String createXoredCsrfToken(SecureRandom secureRandom, String token) {
@ -105,6 +105,9 @@ public final class XorServerCsrfTokenRequestAttributeHandler extends ServerCsrfT
}
private static byte[] xorCsrf(byte[] randomBytes, byte[] csrfBytes) {
if (csrfBytes.length < randomBytes.length) {
return null;
}
int len = Math.min(randomBytes.length, csrfBytes.length);
byte[] xoredCsrf = new byte[len];
System.arraycopy(csrfBytes, 0, xoredCsrf, 0, csrfBytes.length);

2
web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

12
web/src/test/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandlerTests.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -182,6 +182,16 @@ public class XorServerCsrfTokenRequestAttributeHandlerTests {
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
}
@Test
public void resolveCsrfTokenIsInvalidThenReturnsNull() {
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
.body(this.token.getParameterName() + "=" + XOR_CSRF_TOKEN_VALUE)).build();
CsrfToken token = new DefaultCsrfToken("headerName", "paramName", "a");
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, token);
assertThat(csrfToken.block()).isNull();
}
private static Answer<Void> fillByteArray() {
return (invocation) -> {
byte[] bytes = invocation.getArgument(0);