Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolving invalid CSRF token values is not consistent #15184

Closed
sjohnr opened this issue May 31, 2024 · 1 comment
Closed

Resolving invalid CSRF token values is not consistent #15184

sjohnr opened this issue May 31, 2024 · 1 comment
Assignees
@sjohnr
Labels
in: messaging An issue in spring-security-messaging in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
5.8.13

Comments

@sjohnr
Copy link
Member

sjohnr commented May 31, 2024

Describe the bug

When CSRF tokens are modified client-side, resolving token values with the Xor* implementations is not consistent:

  • When the expected token (stored via CsrfToken) is shorter than the provided token, a token of arbitrary length is resolved
  • When the expected token (stored via CsrfToken) is longer than the provided token, an ArrayIndexOutOfBoundsException is thrown

Expected behavior

When CSRF tokens are modified client-side, resolving CSRF token values should be consistent:

  • When the expected token is shorter than the provided token, the token should be resolved as null
  • When the expected token is longer than the provided token, the token should be resolved as null

Additionally, we should ensure the following edge cases are covered:

  • When a single byte is added to the encoded token, the token should be resolved as null and no ArrayIndexOutOfBoundsException is thrown
  • When a single byte is removed from the encoded token, the token should be resolved as null and no ArrayIndexOutOfBoundsException is thrown

Context

This issue was originally reported via gh-13310 and partially resolved in 6.2.0.
@sjohnr sjohnr added in: messaging An issue in spring-security-messaging in: web An issue in web modules (web, webmvc) type: bug A general bug labels May 31, 2024
@sjohnr sjohnr added this to the 5.8.13 milestone May 31, 2024
@sjohnr sjohnr self-assigned this May 31, 2024
@sjohnr sjohnr moved this to In Progress in Spring Security Team May 31, 2024
@sjohnr
Copy link
Member Author

sjohnr commented May 31, 2024

See this comment for more info.

This was referenced May 31, 2024
Closed
Closed
Closed
@sjohnr sjohnr closed this as completed in dcb8c56 Jun 1, 2024
@sjohnr sjohnr moved this from In Progress to Done in Spring Security Team Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: messaging An issue in spring-security-messaging in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
5.8.13
Development

No branches or pull requests
1 participant
@sjohnr