Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

csrfGenerateToken() and csrfVerifyToken() with no arguments throw a null pointer exception.

Description

After the fix from LDEV-2536, the csrfGenerateToken function works with sessionCluster = false, but calling it with no arguments throws a null pointer exception when sessions are stored in redis.

Same thing with csrfVerifyToken() when only the token is provided instead of the key.

Example Application.cfc if redis is running locally, using the Lucee Beta Redis driver 2.9.0.3:

 

component { this.name = 'csrfTest'; this.setClientCookies = true; this.sessioncookie = { 'httpOnly' = true, 'secure' = false, 'timeout' = 1 }; this.cache.connections["sessionStorage"] = { class: 'lucee.extension.io.cache.redis.simple.RedisCache' , bundleName: 'redis.extension' , bundleVersion: '2.9.0.3-BETA' , storage: true , custom: { "minIdle":"0", "maxTotal":"100", "maxIdle":"100", "host": "localhost", "password":"", "port":"6379", "timeout":"2000", "timeToLiveSeconds":"7200" } }; this.sessionstorage = "sessionStorage"; this.sessionManagement = true; this.sessionType = "cfml"; this.sessionCluster = false; this.clientStorage = 'cookie'; }

 

Then in index.cfm:

 

<cfscript> test = csrfGenerateToken(); dump( test ); result = csrfVerifyToken( test ); dump( result ); </cfscript>

 

Result:

 

lucee.runtime.exp.NativeException: java.lang.NullPointerException at lucee.commons.collection.concurrent.ConcurrentHashMapNullSupport.hash(ConcurrentHashMapNullSupport.java:166) at lucee.commons.collection.concurrent.ConcurrentHashMapNullSupport.get(ConcurrentHashMapNullSupport.java:817) at lucee.runtime.type.scope.storage.IKStorageScopeSupport.generateToken(IKStorageScopeSupport.java:590) at lucee.runtime.functions.csrf.CSRFGenerateToken.call(CSRFGenerateToken.java:42) at lucee.runtime.functions.csrf.CSRFGenerateToken.call(CSRFGenerateToken.java:34) at index_cfm$cf.call(/index.cfm:2) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:944) at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:836) at lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:216) at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:42) at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2415) at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2405) at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2380) at lucee.runtime.engine.Request.exe(Request.java:43) at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1110) at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1056) at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97) at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:47) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:336) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: java.lang.NullPointerException ... 52 more

 

Environment

None

Activity

Show:

Michael Offner 22 November 2019 at 15:37

problem did only occur in in 5.3.4, because of that not fixed in 5.3.5

Michael Offner 22 November 2019 at 15:33

Pothys - MitrahSoft 13 November 2019 at 07:16

,
Yes. The error was reproduced in the affected version ( 5.3.4.67-SNAPSHOT ), When we stored in external sessionstorage. It throws the same error like "java.lang.NullPointerException".
But, in the latest version ( 5.3.5.36_SNAPSHOT ) of lucee is working as expected with your example.

Samuel W. Knowlton 12 November 2019 at 14:21

I have updated the issue with additional details and a sample Application.cfc. It does not occur if you are not storing sessions in an external cache. We tested it with Redis but I suspect any external cache would probably do it.

Pothys - MitrahSoft 12 November 2019 at 07:47

I've checked this ticket with lucee latest ( 5.3.5.36-SNAPSHOT ) & affected version. But couldn't able to reproduce the issue. Because csrfGenerateToken() with & without argument is works fine but in csrfVerifyToken() with no argument means, it only throws an exception like "too few attributes in function [csrfVerifyToken]". Because of one attribute is required.
So, could you please check with this again?

Fixed

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Created 11 November 2019 at 15:03
Updated 8 May 2020 at 18:54
Resolved 5 December 2019 at 16:33

Flag notifications