Skip to content

Commit 4f7d529

Browse files
jzheauxjzheaux
committed
Polish Csrf Tests
Issue gh-9561
1 parent 87ed527 commit 4f7d529

File tree

2 files changed

+29
-27
lines changed

2 files changed

+29
-27
lines changed

web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@
1717
package org.springframework.security.web.csrf;
1818

1919
import java.io.IOException;
20-
import java.lang.reflect.Method;
2120
import java.util.Arrays;
2221

2322
import javax.servlet.FilterChain;
@@ -97,18 +96,6 @@ private void resetRequestResponse() {
9796
this.response = new MockHttpServletResponse();
9897
}
9998

100-
@Test
101-
public void nullConstantTimeEquals() throws Exception {
102-
Method method = CsrfFilter.class.getDeclaredMethod("equalsConstantTime", String.class, String.class);
103-
method.setAccessible(true);
104-
assertThat(method.invoke(CsrfFilter.class, null, null)).isEqualTo(true);
105-
String expectedToken = "Hello—World";
106-
String actualToken = new String("Hello—World");
107-
assertThat(method.invoke(CsrfFilter.class, expectedToken, null)).isEqualTo(false);
108-
assertThat(method.invoke(CsrfFilter.class, expectedToken, "hello-world")).isEqualTo(false);
109-
assertThat(method.invoke(CsrfFilter.class, expectedToken, actualToken)).isEqualTo(true);
110-
}
111-
11299
@Test
113100
public void constructorNullRepository() {
114101
assertThatIllegalArgumentException().isThrownBy(() -> new CsrfFilter(null));
@@ -333,6 +320,20 @@ public void doFilterWhenSkipRequestInvokedThenSkips() throws Exception {
333320
verifyZeroInteractions(repository);
334321
}
335322

323+
// gh-9561
324+
@Test
325+
public void doFilterWhenTokenIsNullThenNoNullPointer() throws Exception {
326+
CsrfFilter filter = createCsrfFilter(this.tokenRepository);
327+
CsrfToken token = mock(CsrfToken.class);
328+
given(token.getToken()).willReturn(null);
329+
given(token.getHeaderName()).willReturn(this.token.getHeaderName());
330+
given(token.getParameterName()).willReturn(this.token.getParameterName());
331+
given(this.tokenRepository.loadToken(this.request)).willReturn(token);
332+
given(this.requestMatcher.matches(this.request)).willReturn(true);
333+
filter.doFilterInternal(this.request, this.response, this.filterChain);
334+
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
335+
}
336+
336337
@Test
337338
public void setRequireCsrfProtectionMatcherNull() {
338339
assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setRequireCsrfProtectionMatcher(null));

web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,6 @@
1616

1717
package org.springframework.security.web.server.csrf;
1818

19-
import java.lang.reflect.Method;
20-
2119
import org.junit.Test;
2220
import org.junit.runner.RunWith;
2321
import org.mockito.Mock;
@@ -67,18 +65,6 @@ public class CsrfWebFilterTests {
6765

6866
private MockServerWebExchange post = MockServerWebExchange.from(MockServerHttpRequest.post("/"));
6967

70-
@Test
71-
public void nullConstantTimeEquals() throws Exception {
72-
Method method = CsrfWebFilter.class.getDeclaredMethod("equalsConstantTime", String.class, String.class);
73-
method.setAccessible(true);
74-
assertThat(method.invoke(CsrfWebFilter.class, null, null)).isEqualTo(true);
75-
String expectedToken = "Hello—World";
76-
String actualToken = new String("Hello—World");
77-
assertThat(method.invoke(CsrfWebFilter.class, expectedToken, null)).isEqualTo(false);
78-
assertThat(method.invoke(CsrfWebFilter.class, expectedToken, "hello-world")).isEqualTo(false);
79-
assertThat(method.invoke(CsrfWebFilter.class, expectedToken, actualToken)).isEqualTo(true);
80-
}
81-
8268
@Test
8369
public void filterWhenGetThenSessionNotCreatedAndChainContinues() {
8470
PublisherProbe<Void> chainResult = PublisherProbe.empty();
@@ -226,6 +212,21 @@ public void filterWhenMultipartMixedAndEnabledThenNotRead() {
226212
.isForbidden();
227213
}
228214

215+
// gh-9561
216+
@Test
217+
public void doFilterWhenTokenIsNullThenNoNullPointer() {
218+
this.csrfFilter.setCsrfTokenRepository(this.repository);
219+
CsrfToken token = mock(CsrfToken.class);
220+
given(token.getToken()).willReturn(null);
221+
given(token.getHeaderName()).willReturn(this.token.getHeaderName());
222+
given(token.getParameterName()).willReturn(this.token.getParameterName());
223+
given(this.repository.loadToken(any())).willReturn(Mono.just(token));
224+
WebTestClient client = WebTestClient.bindToController(new OkController()).webFilter(this.csrfFilter).build();
225+
client.post().uri("/").contentType(MediaType.APPLICATION_FORM_URLENCODED)
226+
.bodyValue(this.token.getParameterName() + "=" + this.token.getToken()).exchange().expectStatus()
227+
.isForbidden();
228+
}
229+
229230
@RestController
230231
static class OkController {
231232

0 commit comments

Comments
 (0)