Description
Describe the bug
URL deserialization from the REDIRECT_URI cookie in CookieRequestCache fails and results in a 500 Internal Server Error if the cookie contains a non-Base64 character.
The 500 Internal Server Error stems from an IllegalArgumentException in this code in CookieRequestCache.java:
private static String decodeCookie(String encodedCookieValue) {
return new String(Base64.getDecoder().decode(encodedCookieValue.getBytes()));
}To Reproduce
- Configure Spring Security to use a CookieRequestCache as follows:
http.requestCache(config -> config.requestCache(new CookieRequestCache()));- With the server running, send an authenticated request with an altered
REDIRECT_URIcookie value:
curl -k 'https://localhost:8443' -H 'Cookie: SESSION=MWY…; REDIRECT_URI=123^^^456'
Expected behavior
The server should either ignore the invalid REDIRECT_URI cookie value and clear the cookie or respond with status 400 Bad Request and an error description, as described in the HTTP specification.
Sample
Any application that uses Spring Security need only insert this one line where its HttpSecurity is configured to reproduce the issue:
http.requestCache(config -> config.requestCache(new CookieRequestCache()));Impact
A customer of ours ran the Invicti Web Security Scanner on our application, and it triggered this error and reported it to the customer as a low-severity vulnerability (details). From that page:
Impact
The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting.
I hope that you’ll prioritize fixing this issue since it has a simple fix and because even minor security vulnerabilities identified by web scanners make products/applications that use Spring Security look bad.