Fix NPE in IpAddressMatcher

Closes gh-15527 (cherry picked from commit 52de894c3c)
1 year ago · 554df6fab6
2 changed files with 19 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
@ -71,6 +71,11 @@ public final class IpAddressMatcher implements RequestMatcher {
				@@ -71,6 +71,11 @@ public final class IpAddressMatcher implements RequestMatcher {
 	}

 	public boolean matches(String address) {
+		// Do not match null or blank address
+		if (!StringUtils.hasText(address)) {
+			return false;
+		}
+
 		assertNotHostName(address);
 		InetAddress remoteAddress = parseAddress(address);
 		if (!this.requiredAddress.getClass().equals(remoteAddress.getClass())) {
--- a/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
+++ b/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -126,4 +126,17 @@ public class IpAddressMatcherTests {
				@@ -126,4 +126,17 @@ public class IpAddressMatcherTests {
 			.withMessage("ipAddress 123.156.7.18.org doesn't look like an IP Address. Is it a host name?");
 	}

+	// gh-15527
+	@Test
+	public void matchesWhenIpAddressIsLoopbackAndAddressIsNullThenFalse() {
+		IpAddressMatcher ipAddressMatcher = new IpAddressMatcher("127.0.0.1");
+		assertThat(ipAddressMatcher.matches((String) null)).isFalse();
+	}
+
+	// gh-15527
+	@Test
+	public void matchesWhenAddressIsNullThenFalse() {
+		assertThat(this.v4matcher.matches((String) null)).isFalse();
+	}
+
 }