Skip to content

NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 #9598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hitesh-modi opened this issue Apr 12, 2021 · 0 comments
Closed

NullPointerException in StrictHttpFirewall spring-security-web version 5.4.5 #9598

hitesh-modi opened this issue Apr 12, 2021 · 0 comments
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.5.0-RC2

Comments

@hitesh-modi
Copy link

Description
When request.getParameter(null) is called with spring-security-web 5.4.5, a NullPointerException is thrown from StrictHttpFirewall.java.

java.lang.NullPointerException: null at java.util.regex.Matcher.getTextLength(Matcher.java:1283) at java.util.regex.Matcher.reset(Matcher.java:309) at java.util.regex.Matcher.<init>(Matcher.java:229) at java.util.regex.Pattern.matcher(Pattern.java:1093) at org.springframework.security.web.firewall.StrictHttpFirewall.lambda$static$1(StrictHttpFirewall.java:122) at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.validateAllowedParameterName(StrictHttpFirewall.java:745) at org.springframework.security.web.firewall.StrictHttpFirewall$StrictFirewalledRequest.getParameter(StrictHttpFirewall.java:676) at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:161) at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:161)

To Reproduce
Call request.getParameter(null)

Expected behavior
In earlier version 5.3.8, request.getParameter(null) use to return null, rather than NPE.
@hitesh-modi hitesh-modi added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 12, 2021
@jzheaux jzheaux added this to the 5.5.0 milestone Apr 21, 2021
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 21, 2021
jzheaux added a commit that referenced this issue Apr 22, 2021
@jzheaux
Add NPE Guards
2c625f3 
- Like values, names are only validated if they are not null

Closes gh-9598
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Apr 22, 2021
Closed
@jzheaux jzheaux modified the milestones: 5.5.0, 5.5.0-RC2 Apr 27, 2021
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Add NPE Guards
ef8436e 
- Like values, names are only validated if they are not null

Closes spring-projectsgh-9598
@Anuju Anuju mentioned this issue Jun 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.5.0-RC2
Development

No branches or pull requests
3 participants
@jzheaux @hitesh-modi @spring-projects-issues