diff --git a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java index 3d9e1eaf8e..add52d1b56 100644 --- a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java @@ -17,7 +17,6 @@ package org.springframework.security.web.csrf; import java.io.IOException; -import java.lang.reflect.Method; import java.util.Arrays; import javax.servlet.FilterChain; @@ -97,18 +96,6 @@ public class CsrfFilterTests { this.response = new MockHttpServletResponse(); } - @Test - public void nullConstantTimeEquals() throws Exception { - Method method = CsrfFilter.class.getDeclaredMethod("equalsConstantTime", String.class, String.class); - method.setAccessible(true); - assertThat(method.invoke(CsrfFilter.class, null, null)).isEqualTo(true); - String expectedToken = "Hello—World"; - String actualToken = new String("Hello—World"); - assertThat(method.invoke(CsrfFilter.class, expectedToken, null)).isEqualTo(false); - assertThat(method.invoke(CsrfFilter.class, expectedToken, "hello-world")).isEqualTo(false); - assertThat(method.invoke(CsrfFilter.class, expectedToken, actualToken)).isEqualTo(true); - } - @Test public void constructorNullRepository() { assertThatIllegalArgumentException().isThrownBy(() -> new CsrfFilter(null)); @@ -333,6 +320,20 @@ public class CsrfFilterTests { verifyZeroInteractions(repository); } + // gh-9561 + @Test + public void doFilterWhenTokenIsNullThenNoNullPointer() throws Exception { + CsrfFilter filter = createCsrfFilter(this.tokenRepository); + CsrfToken token = mock(CsrfToken.class); + given(token.getToken()).willReturn(null); + given(token.getHeaderName()).willReturn(this.token.getHeaderName()); + given(token.getParameterName()).willReturn(this.token.getParameterName()); + given(this.tokenRepository.loadToken(this.request)).willReturn(token); + given(this.requestMatcher.matches(this.request)).willReturn(true); + filter.doFilterInternal(this.request, this.response, this.filterChain); + assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK); + } + @Test public void setRequireCsrfProtectionMatcherNull() { assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setRequireCsrfProtectionMatcher(null)); diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java index 04c3d2715e..c531bfca3f 100644 --- a/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java @@ -16,8 +16,6 @@ package org.springframework.security.web.server.csrf; -import java.lang.reflect.Method; - import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.Mock; @@ -67,18 +65,6 @@ public class CsrfWebFilterTests { private MockServerWebExchange post = MockServerWebExchange.from(MockServerHttpRequest.post("/")); - @Test - public void nullConstantTimeEquals() throws Exception { - Method method = CsrfWebFilter.class.getDeclaredMethod("equalsConstantTime", String.class, String.class); - method.setAccessible(true); - assertThat(method.invoke(CsrfWebFilter.class, null, null)).isEqualTo(true); - String expectedToken = "Hello—World"; - String actualToken = new String("Hello—World"); - assertThat(method.invoke(CsrfWebFilter.class, expectedToken, null)).isEqualTo(false); - assertThat(method.invoke(CsrfWebFilter.class, expectedToken, "hello-world")).isEqualTo(false); - assertThat(method.invoke(CsrfWebFilter.class, expectedToken, actualToken)).isEqualTo(true); - } - @Test public void filterWhenGetThenSessionNotCreatedAndChainContinues() { PublisherProbe chainResult = PublisherProbe.empty(); @@ -226,6 +212,21 @@ public class CsrfWebFilterTests { .isForbidden(); } + // gh-9561 + @Test + public void doFilterWhenTokenIsNullThenNoNullPointer() { + this.csrfFilter.setCsrfTokenRepository(this.repository); + CsrfToken token = mock(CsrfToken.class); + given(token.getToken()).willReturn(null); + given(token.getHeaderName()).willReturn(this.token.getHeaderName()); + given(token.getParameterName()).willReturn(this.token.getParameterName()); + given(this.repository.loadToken(any())).willReturn(Mono.just(token)); + WebTestClient client = WebTestClient.bindToController(new OkController()).webFilter(this.csrfFilter).build(); + client.post().uri("/").contentType(MediaType.APPLICATION_FORM_URLENCODED) + .bodyValue(this.token.getParameterName() + "=" + this.token.getToken()).exchange().expectStatus() + .isForbidden(); + } + @RestController static class OkController {