IpAddressMatcher null pointer exception

[hananbs]

Previously we used IpAddressMatcher for matching ips.
After upgrade to Spring boot 3.3, my tests start failing on cases I provide null as 'address'. due to internal checks NPE is thrown when null address supplied.

https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java#L103

in previous version (SB3.1) when null was provided it was internally handled as localhost ip ("localhost/127.0.0.1" InnetAddress).
https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java#L109

To Reproduce
Spring framework: 6.1.10
Spring boot: 3.3.1

perform:
new IpAddressMatcher().matches(null)

Expected behavior
spring matcher should internally consider null as localhost

Thanks in advance.
If this intention to not have default assumption over null please let me know.
I did not found it in any release note/ migration guide

[ankith2301]

this issue is resolved i tried reproducing this is resolved

[sjohnr]

@hananbs thanks for reporting this. I have just pushed a fix to main to fix this bug. I was not clear on which branches exhibited the bug but eventually found that it was introduced in 6.3 so I backported the fix to 6.3.x as well, and it should be available in 6.3.5 on Monday (Nov 18, 2024).

Unfortunately, there are no tests asserting that null is a valid input to the matches() method and we don't want to rely on InetAddress.getByName(null) to define the behavior here. So IpAddressMatcher#matches((String) null) returns false including for "127.0.0.1". This is now codified in a test.

I should also mention that a similar behavior was exhibited by the constructor so I have also added an assertion to the constructor that requires a non-empty input.