Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 09:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add NPE Guards

Browse Source 
- Like values, names are only validated if they are not null

Closes gh-9598
This commit is contained in:
Josh Cummings 2021-04-22 11:17:25 -06:00
parent b0011893d2
commit cb6e4f4a11
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 62 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2020 the original author or authors. * Copyright 2012-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -610,19 +610,25 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override @Override
public long getDateHeader(String name) { public long getDateHeader(String name) {
validateAllowedHeaderName(name); if (name != null) {
validateAllowedHeaderName(name);
}
return super.getDateHeader(name); return super.getDateHeader(name);
} }
@Override @Override
public int getIntHeader(String name) { public int getIntHeader(String name) {
validateAllowedHeaderName(name); if (name != null) {
validateAllowedHeaderName(name);
}
return super.getIntHeader(name); return super.getIntHeader(name);
} }
@Override @Override
public String getHeader(String name) { public String getHeader(String name) {
validateAllowedHeaderName(name); if (name != null) {
validateAllowedHeaderName(name);
}
String value = super.getHeader(name); String value = super.getHeader(name);
if (value != null) { if (value != null) {
validateAllowedHeaderValue(value); validateAllowedHeaderValue(value);
@ -632,7 +638,9 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override @Override
public Enumeration<String> getHeaders(String name) { public Enumeration<String> getHeaders(String name) {
validateAllowedHeaderName(name); if (name != null) {
validateAllowedHeaderName(name);
}
Enumeration<String> headers = super.getHeaders(name); Enumeration<String> headers = super.getHeaders(name);
return new Enumeration<String>() { return new Enumeration<String>() {
@ -673,7 +681,9 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override @Override
public String getParameter(String name) { public String getParameter(String name) {
validateAllowedParameterName(name); if (name != null) {
validateAllowedParameterName(name);
}
String value = super.getParameter(name); String value = super.getParameter(name);
if (value != null) { if (value != null) {
validateAllowedParameterValue(value); validateAllowedParameterValue(value);
@ -717,7 +727,9 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override @Override
public String[] getParameterValues(String name) { public String[] getParameterValues(String name) {
validateAllowedParameterName(name); if (name != null) {
validateAllowedParameterName(name);
}
String[] values = super.getParameterValues(name); String[] values = super.getParameterValues(name);
if (values != null) { if (values != null) {
for (String value : values) { for (String value : values) {

44
web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2020 the original author or authors. * Copyright 2012-2021 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -26,6 +26,7 @@ import org.junit.Test;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
/** /**
@ -690,4 +691,45 @@ public class StrictHttpFirewallTests {
.isThrownBy(() -> request.getParameterValues("bad name")); .isThrownBy(() -> request.getParameterValues("bad name"));
} }
// gh-9598
@Test
public void getFirewalledRequestGetParameterWhenNameIsNullThenIllegalArgumentException() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> request.getParameter(null));
}
// gh-9598
@Test
public void getFirewalledRequestGetParameterValuesWhenNameIsNullThenIllegalArgumentException() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> request.getParameterValues(null));
}
// gh-9598
@Test
public void getFirewalledRequestGetHeaderWhenNameIsNullThenNull() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getHeader(null)).isNull();
}
// gh-9598
@Test
public void getFirewalledRequestGetHeadersWhenNameIsNullThenEmptyEnumeration() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getHeaders(null).hasMoreElements()).isFalse();
}
// gh-9598
@Test
public void getFirewalledRequestGetIntHeaderWhenNameIsNullThenNegativeOne() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getIntHeader(null)).isEqualTo(-1);
}
@Test
public void getFirewalledRequestGetDateHeaderWhenNameIsNullThenNegativeOne() {
HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
assertThat(request.getDateHeader(null)).isEqualTo(-1);
}
} }