Fix NPE in IpAddressMatcher

sjohnr · sjohnr · commit 554df6fab629 · 2024-11-15T10:17:38.000-06:00
Closes gh-15527 (cherry picked from commit 52de894)
diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
@@ -71,6 +71,11 @@ public boolean matches(HttpServletRequest request) {
 	}
 
 	public boolean matches(String address) {
+		// Do not match null or blank address
+		if (!StringUtils.hasText(address)) {
+			return false;
+		}
+
 		assertNotHostName(address);
 		InetAddress remoteAddress = parseAddress(address);
 		if (!this.requiredAddress.getClass().equals(remoteAddress.getClass())) {
diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java b/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -126,4 +126,17 @@ public void numericDomainNameThenIllegalArgumentException() {
 			.withMessage("ipAddress 123.156.7.18.org doesn't look like an IP Address. Is it a host name?");
 	}
 
+	// gh-15527
+	@Test
+	public void matchesWhenIpAddressIsLoopbackAndAddressIsNullThenFalse() {
+		IpAddressMatcher ipAddressMatcher = new IpAddressMatcher("127.0.0.1");
+		assertThat(ipAddressMatcher.matches((String) null)).isFalse();
+	}
+
+	// gh-15527
+	@Test
+	public void matchesWhenAddressIsNullThenFalse() {
+		assertThat(this.v4matcher.matches((String) null)).isFalse();
+	}
+
 }
