spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

SpaCsrfTokenRequestHandler(Kotlin) documented in csrf-integration-javascript-spa causes NullPointerException

Open meouwu-dev opened this issue 1 year ago • 0 comments

springboot:3.2.1 springsecurity:6.2.1

When xsrf token is invalid, delegate.resolveCsrfTokenValue returns null, but the return type of SpaCsrfTokenRequestHandler.resolveCsrfTokenValue is not nullable, which causes NullPointerException

To Reproduce

Use the setup in csrf-integration-javascript-spa, and send a post request with invalid xsrf token, the server will throw NullPointerException.

Expected behavior

the server should throw InvalidCsrfTokenException

Possible solution

- override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String {
+ override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
        /*
         * If the request contains a request header, use CsrfTokenRequestAttributeHandler
         * to resolve the CsrfToken. This applies when a single-page application includes
         * the header value automatically, which was obtained via a cookie containing the
         * raw CsrfToken.
         */
        return if (StringUtils.hasText(request.getHeader(csrfToken.headerName))) {
            super.resolveCsrfTokenValue(request, csrfToken)
        } else {
            /*
             * In all other cases (e.g. if the request contains a request parameter), use
             * XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
             * when a server-side rendered form includes the _csrf request parameter as a
             * hidden input.
             */
            delegate.resolveCsrfTokenValue(request, csrfToken)
        }
    }

meouwu-dev avatar Feb 18 '24 14:02 meouwu-dev