Closed ryber closed 5 years ago
Thanks for reporting this @ryber - we'll address it in the next minor release.
I just tested with the Apache header value parser and it also struggles with the base64 encoded value. What I get out of it is:
[{"name":"YQ","value":"=","parameters":[],"parameterCount":0}]
I can fix the parser not to throw the exception. However, I assume you want to get the full base64 encoded value out. Are you using the String getHeader(String)
method of the request?
We have a filter that deals with JWT's stored in secured/http-only cookies. It works fine in Tomcat, Jetty, and Spark (jetty). In this case we were using it with Java spark in a lambda. That's when we hit this exception. I created the issue boiled down without all the extra. So round-about it comes from getting cookie values. But I suspect it would have a problem even if it was just in an "regular" header
Should be ok with regular headers because the getHeader method returns the string value without trying to parse it. I've added a condition to check whether the entire value is base64-encoded in the fix. I will add a test for a cookie value to be base64-encoded. Can you confirm that the header looks something like this:
Cookie: jwt=YQ==; secondCookie=customvalue
Yes, looks exactly like that
I'd keep in mind that the = is the buffer and I believe could be just one, maybe 3? In any case not always just two of them
Yup, thanks. Working on a fix now. It's hard to distinguish whether it's a key name with a null value or a base64 encoded value when the buffer has a single =
Just pushed some more changes. I've added a unit test for your use-case and it seems to work. you can test with the 1.4-SNAPSHOT
version from the core
branch of this repo
Thanks, is it in a repo somewhere or do I need to build it myself?
You'll have to clone the core
branch and mvn install
on your local system, then if you add the 1.4-SNAPSHOT as a dependency to your project maven should pick it up by itself from the local repo
Hey it works @sapessi! Thanks for the quick turnaround.
Once note, I had to comment out the owasp filter locally to get maven to do a local install because it couldn't resolve itself (I think), but after that all was well.
awesome. I'll try to push 1.3.2 out this weekend!
Release 1.3.2 - which includes this fix - is on its way to maven central! Resolving this issue.
Scenario
ArrayIndexOutOfBoundsException when a header value contains a "=" as part of it's value
Expected behavior
Would Parse the value to include the "="
Actual behavior
java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1
Steps to reproduce
Full log output