[SHIRO-685] Potential NullPointerException if PermissionResolver retu…

…rn null/empty string
v-yis06 · May 9, 2019 · d7d33bf · d7d33bf
1 parent 6891aaf
commit d7d33bf
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 6 deletions.
diff --git a/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java b/core/src/main/java/org/apache/shiro/realm/AuthorizingRealm.java
@@ -26,6 +26,7 @@
 import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.util.CollectionUtils;
 import org.apache.shiro.util.Initializable;
+import org.apache.shiro.util.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -431,8 +432,10 @@ private Collection<Permission> resolvePermissions(Collection<String> stringPerms
         if (resolver != null && !CollectionUtils.isEmpty(stringPerms)) {
             perms = new LinkedHashSet<Permission>(stringPerms.size());
             for (String strPermission : stringPerms) {
-                Permission permission = resolver.resolvePermission(strPermission);
-                perms.add(permission);
+                if (StringUtils.clean(strPermission) != null) {
+                    Permission permission = resolver.resolvePermission(strPermission);
+                    perms.add(permission);
+                }
             }
         }
         return perms;

diff --git a/core/src/test/java/org/apache/shiro/realm/AuthorizingRealmTest.java b/core/src/test/java/org/apache/shiro/realm/AuthorizingRealmTest.java
@@ -18,23 +18,37 @@
  */
 package org.apache.shiro.realm;
 
-import org.apache.shiro.authc.*;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAccount;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.Permission;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.authz.UnauthorizedException;
 import org.apache.shiro.authz.permission.RolePermissionResolver;
 import org.apache.shiro.authz.permission.WildcardPermission;
+import org.apache.shiro.authz.permission.WildcardPermissionResolver;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.subject.SimplePrincipalCollection;
 import org.junit.After;
-import static org.junit.Assert.*;
 import org.junit.Before;
 import org.junit.Test;
 
-import java.security.Principal;
-import java.util.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 
 /**
@@ -214,6 +228,40 @@ public Collection<Permission> resolvePermissionsInRole( String roleString )
         assertTrue( realm.isPermitted( pCollection, "other:bar:foo" ) );
     }
 
+    @Test
+    public void testRealmWithEmptyOrNullPermissions() {
+        Principal principal = new UsernamePrincipal("rolePermResolver");
+        PrincipalCollection pCollection = new SimplePrincipalCollection(principal, "testRealmWithRolePermissionResolver");
+
+        AuthorizingRealm realm = new AllowAllRealm();
+        realm.setRolePermissionResolver( new RolePermissionResolver()
+        {
+            public Collection<Permission> resolvePermissionsInRole( String roleString )
+            {
+                Collection<Permission> permissions = new HashSet<Permission>();
+                if( roleString.equals( ROLE ))
+                {
+                    permissions.add( new WildcardPermission( ROLE + ":perm1" ) );
+                    permissions.add( new WildcardPermission( ROLE + ":perm2" ) );
+                    permissions.add( new WildcardPermission( ROLE + ": " ) );
+                    permissions.add( new WildcardPermission( ROLE + ":\t" ) );
+                    permissions.add( new WildcardPermission( "other:*:foo" ) );
+                }
+                return permissions;
+            }
+        });
+
+        realm.setPermissionResolver(new WildcardPermissionResolver());
+        SimpleAuthorizationInfo authorizationInfo = (SimpleAuthorizationInfo) realm.getAuthorizationInfo(pCollection);
+        assertNotNull(authorizationInfo);
+        authorizationInfo.addStringPermission("");
+        authorizationInfo.addStringPermission(" ");
+        authorizationInfo.addStringPermission("\t");
+        authorizationInfo.addStringPermission(null);
+        Collection<Permission> permissions = realm.getPermissions(authorizationInfo);
+        assertEquals(permissions.size(), 4);
+    }
+
     private void assertArrayEquals(boolean[] expected, boolean[] actual) {
         if (expected.length != actual.length) {
             fail("Expected array of length [" + expected.length + "] but received array of length [" + actual.length + "]");