ZCS-8246 Fixing NPE with CSRF check (#987)

* ZCS-8246 Fixing NPE with CSRF check * ZCS-8246 Code review comments
Zimbra · Nov 29, 2019 · e5cf669 · e5cf669
1 parent 0cade97
commit e5cf669
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java b/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java
@@ -171,6 +171,24 @@ public final void testIsValidCsrfTokenForAccountWithMultipleTokens() {
         }
     }
 
+    @Test
+    public final void testIsValidCsrfTokenForAccountWithNullAuthToken() {
+        try {
+            Account acct = Provisioning.getInstance().getAccountByName(
+                "[email protected]");
+            AuthToken authToken = new ZimbraAuthToken(acct);
+
+            String csrfToken1 = CsrfUtil.generateCsrfToken(acct.getId(),
+                AUTH_TOKEN_EXPR, CSRFTOKEN_SALT, authToken);
+            boolean validToken = CsrfUtil.isValidCsrfToken(csrfToken1, null);
+            assertEquals(false, validToken);
+
+
+        } catch (Exception  e) {
+            fail("Should not throw exception.");
+        }
+    }
+
 
     @Test
     public final void testIsCsrfRequestWhenCsrfCheckIsTurnedOn() {

diff --git a/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java b/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java
@@ -255,7 +255,7 @@ public static Account getAccount(AuthToken authToken, boolean loadFromLdap) thro
     }
 
     public static boolean isValidCsrfToken(String csrfToken, AuthToken authToken) {
-        if (StringUtil.isNullOrEmpty(csrfToken)) {
+        if (StringUtil.isNullOrEmpty(csrfToken) || null == authToken) {
             return false;
         }