-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ArrayIndexOutOfBoundsException in XorCsrfTokenRequestAttributeHandler #13310
Comments
Can I work on this issue? |
@kevin2jordan, are you still interested in this issue? A PR would be most welcome! |
- Add Reactive equivalent - Update copyright Issue spring-projectsgh-13310
This issue is not completely fixed yet. During an attack we still get
in version spring-security 6.2.1. Specifically, the problem lies in the following line in the file XorCsrfTokenRequestAttributeHandler.java:
Here, you're attempting to copy csrfBytes.length elements from csrfBytes into xoredCsrf. However, xoredCsrf is only as long as the smaller of the two arrays (randomBytes.length or csrfBytes.length), as determined by the preceding line:
This will cause an ArrayIndexOutOfBoundsException when csrfBytes.length is greater than len, because you're trying to copy more elements than xoredCsrf can hold. To fix this, you should copy only len elements, not csrfBytes.length elements, since len is the length of the destination array xoredCsrf.
|
In version 6.1.8, I had the same problem as @maximilianschweitzer .Hopefully this will be resolved |
Hi, @jzheaux, I have made a quick fix for this issue. Please kindly help review. |
@maximilianschweitzer thanks for reporting the additional finding. I am considering this a bug and plan to backport the fix to OSS supported branches ( @kratosmy thanks for submitting a PR. I will provide feedback on the PR. |
java.lang.ArrayIndexOutOfBoundsException is thrown in XorCsrfTokenRequestAttributeHandler during attack
Affects version spring-security 6.0.3 (I have not tested 6.1)
To reproduce modify csrf token values on client side (cookie based tokens)
Expected behavior
getTokenValue should validate encoded token length and return null if value is incorrect. Generating stacktrace for exception is much more expensive and may impact performance.
The text was updated successfully, but these errors were encountered: