Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArrayIndexOutOfBoundsException thrown when validating csrf token using CookieCsrfTokenRepository.In Version 6.2.3 #14903

Closed
pyyx opened this issue Apr 13, 2024 · 1 comment
Closed

ArrayIndexOutOfBoundsException thrown when validating csrf token using CookieCsrfTokenRepository.In Version 6.2.3 #14903

pyyx opened this issue Apr 13, 2024 · 1 comment
Assignees
@sjohnr
Labels
status: duplicate A duplicate of another issue type: bug A general bug

Comments

@pyyx
Copy link

pyyx commented Apr 13, 2024

Describe the bug
ArrayIndexOutOfBoundsException thrown when validating csrf token using CookieCsrfTokenRepository
A clear and concise description of what the bug is.

To Reproduce
Configuring to use the CookieCsrfTokenRepository

                .csrf(config -> config
                        .csrfTokenRepository(new CookieCsrfTokenRepository()))

Initiate a request without a csrf token to get a csrf token.

> POST http://localhost:8080/signup
> content-type: application/json
> data {"username":"abc","password":"12345678"}
< 403
< set-cookie: XSRF-TOKEN=05929404-5a0f-4cec-96e3-e48f7d9d1009; Path=/; HttpOnly
< x-content-type-options: nosniff
< x-xss-protection: 0
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< x-frame-options: DENY
< content-length: 0
< date: Sat, 13 Apr 2024 05:20:40 GMT
< connection: close

Pass base64 encoded csrf token via request header X-XSRF-TOKEN. throws ArrayIndexOutOfBoundsException.

> POST http://localhost:8080/signup
> X-XSRF-TOKEN: MDU5Mjk0MDQtNWEwZi00Y2VjLTk2ZTMtZTQ4ZjdkOWQxMDA5
> content-type: application/json
> data {"username":"abc","password":"12345678"}
< 403
< x-content-type-options: nosniff
< x-xss-protection: 0
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< x-frame-options: DENY
< content-length: 0
< date: Sat, 13 Apr 2024 05:27:46 GMT
< connection: close

java.lang.ArrayIndexOutOfBoundsException: arraycopy: last destination index 36 out of bounds for byte[0]
	at java.base/java.lang.System.arraycopy(Native Method) ~[?:?]
	at org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler.xorCsrf(XorCsrfTokenRequestAttributeHandler.java:122) ~[spring-security-web-6.2.3.jar:6.2.3]

debug

In org.springframework.security.web.csrf XorCsrfTokenRequestAttributeHandler resolveCsrfTokenValue()

  • Line 92: same token encoded in base64 with same length randomBytesSize = 0
  • Line 94: create randomBytes of size 0
  • Line 99: pass randomBytes to xorCsrf()
    image
    In xorCsrf()
    120 Line: take the minimum of two array lengths
    121 Line: create byte array with size 0
    122 Line: Throw an exception
    image

Expected behavior
Able to execute successfully when passed the correct token.

Sample
@pyyx pyyx added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 13, 2024
@sjohnr
Copy link
Member

sjohnr commented Apr 24, 2024

@pyyx thanks for the report. I believe this is a duplicate of gh-13310. While it is already resolved, there is a remaining issue being worked on in gh-14902. I'm going to close this as a duplicate.

@sjohnr sjohnr closed this as completed Apr 24, 2024
@sjohnr sjohnr self-assigned this Apr 24, 2024
@sjohnr sjohnr added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjohnr @pyyx