From 1399a82ea92eb43b49be66724df30fe4ff3e8d86 Mon Sep 17 00:00:00 2001
From: DingHao <dh.hiekn@gmail.com>
Date: Mon, 14 Oct 2024 16:21:57 +0800
Subject: [PATCH] Return Null Request When Cookie Is Malformed

Closes gh-15905
---
 .../web/savedrequest/CookieRequestCache.java      | 15 ++++++++++++---
 .../web/savedrequest/CookieRequestCacheTests.java | 12 +++++++++++-
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/CookieRequestCache.java b/web/src/main/java/org/springframework/security/web/savedrequest/CookieRequestCache.java
index a44e9304c09..cd4d572bf30 100644
--- a/web/src/main/java/org/springframework/security/web/savedrequest/CookieRequestCache.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/CookieRequestCache.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -74,6 +74,9 @@ public SavedRequest getRequest(HttpServletRequest request, HttpServletResponse r
 			return null;
 		}
 		String originalURI = decodeCookie(savedRequestCookie.getValue());
+		if (originalURI == null) {
+			return null;
+		}
 		UriComponents uriComponents = UriComponentsBuilder.fromUriString(originalURI).build();
 		DefaultSavedRequest.Builder builder = new DefaultSavedRequest.Builder();
 		int port = getPort(uriComponents);
@@ -123,8 +126,14 @@ private static String encodeCookie(String cookieValue) {
 		return Base64.getEncoder().encodeToString(cookieValue.getBytes());
 	}
 
-	private static String decodeCookie(String encodedCookieValue) {
-		return new String(Base64.getDecoder().decode(encodedCookieValue.getBytes()));
+	private String decodeCookie(String encodedCookieValue) {
+		try {
+			return new String(Base64.getDecoder().decode(encodedCookieValue.getBytes()));
+		}
+		catch (IllegalArgumentException ex) {
+			this.logger.debug("Failed decode cookie value " + encodedCookieValue);
+			return null;
+		}
 	}
 
 	private static String getCookiePath(HttpServletRequest request) {
diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/CookieRequestCacheTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/CookieRequestCacheTests.java
index 409da91e369..bd01e3557b9 100644
--- a/web/src/test/java/org/springframework/security/web/savedrequest/CookieRequestCacheTests.java
+++ b/web/src/test/java/org/springframework/security/web/savedrequest/CookieRequestCacheTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -213,4 +213,14 @@ private static String decodeCookie(String encodedCookieValue) {
 		return new String(Base64.getDecoder().decode(encodedCookieValue.getBytes()));
 	}
 
+	// gh-15905
+	@Test
+	public void illegalCookieValueReturnNull() {
+		CookieRequestCache cookieRequestCache = new CookieRequestCache();
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setCookies(new Cookie(DEFAULT_COOKIE_NAME, "123^456"));
+		SavedRequest savedRequest = cookieRequestCache.getRequest(request, new MockHttpServletResponse());
+		assertThat(savedRequest).isNull();
+	}
+
 }