Skip to content

RequestContextSubscriber could put null value in Reactor Context #7228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
robotmrv opened this issue Aug 6, 2019 · 2 comments · Fixed by #7235
Closed

RequestContextSubscriber could put null value in Reactor Context #7228

robotmrv opened this issue Aug 6, 2019 · 2 comments · Fixed by #7235
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.2.0.RC1

Comments

@robotmrv
Copy link
Contributor

robotmrv commented Aug 6, 2019

Summary

There are several issues with current implementation of ServletOAuth2AuthorizedClientExchangeFilterFunction.RequestContextSubscriber introduced by #6526

Actual Behavior

  1. RequestContextSubscriber could populate reactor Context with null values - that is forbidden since fix #1797 Explicitly reject null keys/values in Context constructors reactor/reactor-core#1800 (it is possible if Flux or Mono was subscribed outside of WebRequest or security context)
  2. RequestContextSubscriber replaces source context and does not respect previous values (possibly from other library)
  3. It does not create holder for its values in a context as it was suggested in javadoc
 * Note that contexts are optimized for low cardinality key/value storage, and a user
 * might want to associate a dedicated mutable structure to a single key to represent his
 * own context instead of using multiple {@link #put}, which could be more costly.
 * Past five user key/value pair, the {@link Context} will use a copy-on-write
 * implementation backed by a new {@link java.util.Map} on each {@link #put}.

https://github.com/reactor/reactor-core/blob/master/reactor-core/src/main/java/reactor/util/context/Context.java#L36-L44

subscriber creates 4 keys (occupies almost all "optimmized" implementations of Context)
and as far as I understand CONTEXT_DEFAULTED_ATTR_NAME key is just a marker

Maybe it would be better to put all this values into some holder so you can reduce number of keys from 4 to 1. And it allows remove extra CONTEXT_DEFAULTED_ATTR_NAME

Expected Behavior

  1. RequestContextSubscriber should not populate Context with null values
  2. RequestContextSubscriber should not replace previous Context
  3. RequestContextSubscriber should create DataHolder for its nullable data and do not "pollute" Context

Version

5.1.6.RELEASE
5.2.0.M4
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 6, 2019
@robotmrv robotmrv mentioned this issue Aug 6, 2019
Closed
@robotmrv robotmrv mentioned this issue Aug 7, 2019
Merged
@jgrandja jgrandja changed the title ServletOAuth2AuthorizedClientExchangeFilterFunction.RequestContextSubscriber could create reactor.util.context.Context with null values RequestContextSubscriber could put null value in Reactor Context Aug 20, 2019
@jgrandja jgrandja self-assigned this Aug 20, 2019
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 20, 2019
@jgrandja jgrandja added this to the 5.2.0.RC1 milestone Aug 20, 2019
@robotmrv
Copy link
Contributor Author

robotmrv commented Sep 8, 2019

Hi, @jgrandja
will this fix be backported to 5.1.x?

@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.1.x labels Sep 9, 2019
Closed
jgrandja pushed a commit that referenced this issue Sep 9, 2019
@robotmrv @jgrandja
Fix NPE in RequestContextSubscriber
a5391b6 
RequestContextSubscriber could cause NPE if Mono/Flux.subscribe()
was invoked outside of Web Context.
In addition it replaced source Context with its own without respect
to old data.
Now Request Context Data is Propagated within holder class and
it is added to existing reactor Context if Holder is not empty.

Fixes gh-7228
@jgrandja
Copy link
Contributor

jgrandja commented Sep 9, 2019

Thanks for the reminder @robotmrv! I just backported.

jgrandja referenced this issue Sep 27, 2019
@jgrandja
Align Servlet ExchangeFilterFunction CoreSubscriber
2a5bd6e 
Fixes gh-7422
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.2.0.RC1
Development

Successfully merging a pull request may close this issue.

Fix NPE in RequestContextSubscriber robotmrv/spring-security
3 participants
@robotmrv @jgrandja @spring-projects-issues