From e5cf6695691ca673c3e41213f3ae4e8c1c8c0225 Mon Sep 17 00:00:00 2001 From: rupalid Date: Fri, 29 Nov 2019 09:24:56 +0530 Subject: [PATCH] ZCS-8246 Fixing NPE with CSRF check (#987) * ZCS-8246 Fixing NPE with CSRF check * ZCS-8246 Code review comments --- .../zimbra/cs/servlet/util/CsrfUtilTest.java | 18 ++++++++++++++++++ .../com/zimbra/cs/servlet/util/CsrfUtil.java | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java b/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java index 26fc55bf5d5..9d73cb7023f 100644 --- a/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java +++ b/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java @@ -171,6 +171,24 @@ public final void testIsValidCsrfTokenForAccountWithMultipleTokens() { } } + @Test + public final void testIsValidCsrfTokenForAccountWithNullAuthToken() { + try { + Account acct = Provisioning.getInstance().getAccountByName( + "test@zimbra.com"); + AuthToken authToken = new ZimbraAuthToken(acct); + + String csrfToken1 = CsrfUtil.generateCsrfToken(acct.getId(), + AUTH_TOKEN_EXPR, CSRFTOKEN_SALT, authToken); + boolean validToken = CsrfUtil.isValidCsrfToken(csrfToken1, null); + assertEquals(false, validToken); + + + } catch (Exception e) { + fail("Should not throw exception."); + } + } + @Test public final void testIsCsrfRequestWhenCsrfCheckIsTurnedOn() { diff --git a/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java b/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java index 3c59caff554..5ce47a50756 100644 --- a/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java +++ b/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java @@ -255,7 +255,7 @@ public static Account getAccount(AuthToken authToken, boolean loadFromLdap) thro } public static boolean isValidCsrfToken(String csrfToken, AuthToken authToken) { - if (StringUtil.isNullOrEmpty(csrfToken)) { + if (StringUtil.isNullOrEmpty(csrfToken) || null == authToken) { return false; }