Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullPointerException when using JSP Tags and the CSRFGuard is disabled. #21

Closed
alexhatz05 opened this issue Aug 12, 2021 · 6 comments · Fixed by #20
Closed

NullPointerException when using JSP Tags and the CSRFGuard is disabled. #21

alexhatz05 opened this issue Aug 12, 2021 · 6 comments · Fixed by #20
Labels
bug Something isn't working

Comments

@alexhatz05
Copy link
Contributor

Hello,

[Bug Description]
I am using CSRFGuard JSP Tag libraries in a Java EE project (Java 8). I recently faced the following issue: when I have to set the org.owasp.csrfguard.Enabled property to false, then a Null Pointer Exception is thrown and my application fails to load.

I checked the code of the respective JSP Tags and noticed that there is no check to see if the CSRFGuard is enabled before proceeding with the token injection. After debugging I found that the following line throwsthe exception:

final LogicalSession logicalSession = csrfGuard.getLogicalSessionExtractor().extract((HttpServletRequest) this.pageContext.getRequest());

[To Reproduce]
Steps to reproduce the behavior:

  1. Go to CSRFGuard properties and set org.owasp.csrfguard.Enabled = false
  2. Load any page that is using CSRFGuard JSP Tags
  3. See the error in the logs

[Expected behavior]
Due to practical reasons, I deem necessary to find a solution so that the application using CSRFGuard tags would not be impacted by CSRF functionality when the guard is disabled.

[Environment]

  • OS: RHEL
  • Browser: Chrome, Firefox (I checked only those two)

[Solution that worked for me]
If you would like to consider my solution, I have submitted a Pull Request with the branch check_if_enabled_before_injecting_with_tag which contains a simple solution by checking if the CSRFGuard is enabled before proceeding with the logic. I have done this for TokenTag, TokenNameTag, TokenValueTag.
@forgedhallpass
Copy link
Member

Thank you @alexhatz05. Very well written description of the issue! The PR will be accepted after the minor changes that were requested. Is the issue also reproducible in the test application?

@alexhatz05
Copy link
Contributor Author

alexhatz05 commented Aug 12, 2021
edited

Thank you for accepting my change :) I submitted the changes requested, hope you received them (I'm new to contributing).

I just checked with the test application having CSRFGuard disabled and managed to reproduce the issue there as well.

exception

@forgedhallpass forgedhallpass linked a pull request Aug 12, 2021 that will close this issue
Check that CSRFGuard is enabled before injecting tokens with JSP Tags… #20
Merged
@forgedhallpass
Copy link
Member

Fixed by #20

@forgedhallpass
Copy link
Member

I've created a new patch version release (https://github.com/OWASP/www-project-csrfguard/releases/tag/4.0.1) with your changes. It will soon be available on Maven central as well. Thank you for your contribution.

@forgedhallpass forgedhallpass added the bug Something isn't working label Sep 15, 2021
@kguelzau
Copy link

neither 4.0.1 nor 4.1.0 is available on maven central, right?

@forgedhallpass
Copy link
Member

@kguelzau 4.1.1 has been released to Maven Central.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@kguelzau @forgedhallpass @alexhatz05