Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException #14634

Closed
meouwu-dev opened this issue Feb 18, 2024 · 2 comments
Assignees
Labels
in: docs An issue in Documentation or samples type: bug A general bug
Milestone

Comments

@meouwu-dev
Copy link

springboot:3.2.1
springsecurity:6.2.1

When xsrf token is invalid, delegate.resolveCsrfTokenValue returns null, but the return type of SpaCsrfTokenRequestHandler.resolveCsrfTokenValue is not nullable, which causes NullPointerException

To Reproduce

Use the setup in csrf-integration-javascript-spa, and send a post request with invalid xsrf token, the server will throw NullPointerException.

Expected behavior

the server should throw InvalidCsrfTokenException

Possible solution

- override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String {
+ override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
        /*
         * If the request contains a request header, use CsrfTokenRequestAttributeHandler
         * to resolve the CsrfToken. This applies when a single-page application includes
         * the header value automatically, which was obtained via a cookie containing the
         * raw CsrfToken.
         */
        return if (StringUtils.hasText(request.getHeader(csrfToken.headerName))) {
            super.resolveCsrfTokenValue(request, csrfToken)
        } else {
            /*
             * In all other cases (e.g. if the request contains a request parameter), use
             * XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
             * when a server-side rendered form includes the _csrf request parameter as a
             * hidden input.
             */
            delegate.resolveCsrfTokenValue(request, csrfToken)
        }
    }
@meouwu-dev meouwu-dev added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Feb 18, 2024
@jzheaux jzheaux self-assigned this Mar 4, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Mar 22, 2024

Hi, @meouwu-dev! I've tried applying the code from the reference and sent an invalid CSRF token; however, I get a 403 instead of a NullPointerException.

Can you please provide a reproducing GitHub sample? That will help get to the bottom of the issue faster.

If you like, you can push a commit to https://github.com/jzheaux/spring-security-samples/tree/gh-14634 to change its CSRF sample to better match what you are experiencing.

What I do after running that sample is the following:

http -a user:password POST :8080 Cookie:XSRF-TOKEN=c6e16183-bc43-40cf-8233-aba3959e2ce7 X-XSRF-TOKEN:c6e16183-bc43-40cf-8233-aba3959e2ce8

Note that the header value is invalid, while the repository is valid. The result is a 403.

@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 22, 2024
@sjohnr sjohnr self-assigned this Mar 26, 2024
@sjohnr sjohnr moved this to In Progress in Spring Security Team Mar 26, 2024
@sjohnr sjohnr added this to the 6.1.9 milestone Mar 26, 2024
@sjohnr sjohnr added in: docs An issue in Documentation or samples type: bug A general bug and removed status: waiting-for-feedback We need additional information before we can continue in: web An issue in web modules (web, webmvc) labels Mar 26, 2024
sjohnr added a commit that referenced this issue Mar 26, 2024
@sjohnr sjohnr closed this as completed in 80845d0 Mar 26, 2024
@sjohnr
Copy link
Member

sjohnr commented Mar 26, 2024

Thanks for reporting this @meouwu-dev! I was able to reproduce using a missing token scenario (but not an invalid token) and see the issue exists in the Kotlin example. I've fixed this and additionally added some tests to the testing example in the docs as well.

@sjohnr sjohnr moved this from In Progress to Done in Spring Security Team Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: docs An issue in Documentation or samples type: bug A general bug
Projects
Status: Done
Development

No branches or pull requests

3 participants