fixes setting paramName only when it is not null

Fixes: gh-6223
2018-12-24 14:48:26 +05:30 · 2018-12-24 14:48:26 +05:30 · 4ff51491d7
parent f234a5fbdb
commit 4ff51491d7
2 changed files with 79 additions and 1 deletions
--- a/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java
+++ b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java
@ -112,7 +112,9 @@ class MethodSecurityEvaluationContext extends StandardEvaluationContext {
 		}

 		for (int i = 0; i < args.length; i++) {
-			super.setVariable(paramNames[i], args[i]);
+			if (paramNames[i] != null) {
+				setVariable(paramNames[i], args[i]);
+			}
 		}
 	}

--- a/core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContextTests.java
+++ b/core/src/test/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContextTests.java
@ -0,0 +1,76 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.access.expression.method;
+
+import java.lang.reflect.Method;
+
+import org.aopalliance.intercept.MethodInvocation;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import org.springframework.core.ParameterNameDiscoverer;
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.ReflectionUtils;
+
+import static org.mockito.Mockito.doReturn;
+
+/**
+ * @author shabarijonnalagadda
+ *
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class MethodSecurityEvaluationContextTests {
+	@Mock
+	private ParameterNameDiscoverer paramNameDiscoverer;
+	@Mock
+	private Authentication authentication;
+	@Mock
+	private MethodInvocation methodInvocation;
+
+	@Test
+	public void lookupVariableWhenParameterNameNullThenNotSet() {
+		Class<String> type = String.class;
+		Method method = ReflectionUtils.findMethod(String.class, "contains", CharSequence.class);
+		doReturn(new String[] {null}).when(paramNameDiscoverer).getParameterNames(method);
+		doReturn(new Object[]{null}).when(methodInvocation).getArguments();
+		doReturn(type).when(methodInvocation).getThis();
+		doReturn(method).when(methodInvocation).getMethod();
+		NotNullVariableMethodSecurityEvaluationContext context= new NotNullVariableMethodSecurityEvaluationContext(authentication, methodInvocation, paramNameDiscoverer);
+		context.lookupVariable("testVariable");
+	}
+
+	private static class  NotNullVariableMethodSecurityEvaluationContext
+			extends MethodSecurityEvaluationContext {
+
+		public NotNullVariableMethodSecurityEvaluationContext(Authentication auth, MethodInvocation mi,
+				ParameterNameDiscoverer parameterNameDiscoverer) {
+			super(auth, mi, parameterNameDiscoverer);
+		}
+
+		@Override
+		public void setVariable(String name, @Nullable Object value) {
+			if ( name == null ) {
+				throw new IllegalArgumentException("name  should not be null");
+			}
+			else {
+				super.setVariable(name, value);
+			}
+		}
+	}
+}