Add NPE Guards

jzheaux · jzheaux · commit 2c625f30e084 · 2021-04-22T11:28:25.000-06:00
- Like values, names are only validated if they are not null Closes gh-9598
diff --git a/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java b/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -610,19 +610,25 @@ private class StrictFirewalledRequest extends FirewalledRequest {
 
 		@Override
 		public long getDateHeader(String name) {
-			validateAllowedHeaderName(name);
+			if (name != null) {
+				validateAllowedHeaderName(name);
+			}
 			return super.getDateHeader(name);
 		}
 
 		@Override
 		public int getIntHeader(String name) {
-			validateAllowedHeaderName(name);
+			if (name != null) {
+				validateAllowedHeaderName(name);
+			}
 			return super.getIntHeader(name);
 		}
 
 		@Override
 		public String getHeader(String name) {
-			validateAllowedHeaderName(name);
+			if (name != null) {
+				validateAllowedHeaderName(name);
+			}
 			String value = super.getHeader(name);
 			if (value != null) {
 				validateAllowedHeaderValue(value);
@@ -632,7 +638,9 @@ public String getHeader(String name) {
 
 		@Override
 		public Enumeration<String> getHeaders(String name) {
-			validateAllowedHeaderName(name);
+			if (name != null) {
+				validateAllowedHeaderName(name);
+			}
 			Enumeration<String> headers = super.getHeaders(name);
 			return new Enumeration<String>() {
 
@@ -673,7 +681,9 @@ public String nextElement() {
 
 		@Override
 		public String getParameter(String name) {
-			validateAllowedParameterName(name);
+			if (name != null) {
+				validateAllowedParameterName(name);
+			}
 			String value = super.getParameter(name);
 			if (value != null) {
 				validateAllowedParameterValue(value);
@@ -717,7 +727,9 @@ public String nextElement() {
 
 		@Override
 		public String[] getParameterValues(String name) {
-			validateAllowedParameterName(name);
+			if (name != null) {
+				validateAllowedParameterName(name);
+			}
 			String[] values = super.getParameterValues(name);
 			if (values != null) {
 				for (String value : values) {
diff --git a/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java b/web/src/test/java/org/springframework/security/web/firewall/StrictHttpFirewallTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@
 import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.MockHttpServletRequest;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
 /**
@@ -690,4 +691,45 @@ public void getFirewalledRequestGetParameterValuesWhenNotAllowedInParameterNameT
 				.isThrownBy(() -> request.getParameterValues("bad name"));
 	}
 
+	// gh-9598
+	@Test
+	public void getFirewalledRequestGetParameterWhenNameIsNullThenIllegalArgumentException() {
+		HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
+		assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> request.getParameter(null));
+	}
+
+	// gh-9598
+	@Test
+	public void getFirewalledRequestGetParameterValuesWhenNameIsNullThenIllegalArgumentException() {
+		HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
+		assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> request.getParameterValues(null));
+	}
+
+	// gh-9598
+	@Test
+	public void getFirewalledRequestGetHeaderWhenNameIsNullThenNull() {
+		HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
+		assertThat(request.getHeader(null)).isNull();
+	}
+
+	// gh-9598
+	@Test
+	public void getFirewalledRequestGetHeadersWhenNameIsNullThenEmptyEnumeration() {
+		HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
+		assertThat(request.getHeaders(null).hasMoreElements()).isFalse();
+	}
+
+	// gh-9598
+	@Test
+	public void getFirewalledRequestGetIntHeaderWhenNameIsNullThenNegativeOne() {
+		HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
+		assertThat(request.getIntHeader(null)).isEqualTo(-1);
+	}
+
+	@Test
+	public void getFirewalledRequestGetDateHeaderWhenNameIsNullThenNegativeOne() {
+		HttpServletRequest request = this.firewall.getFirewalledRequest(this.request);
+		assertThat(request.getDateHeader(null)).isEqualTo(-1);
+	}
+
 }
