Spring Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue()

Summary

In your repository (MAVENorg.springframework:spring-web @ 6.1.12), we have found a bug that may require your attention.

In file: AbstractNamedValueArgumentResolver.java, class: KotlinDelegate, method: hasDefaultValue, there is a potential Null pointer dereference at: https://github.com/spring-projects/spring-framework/blob/34764252dcd1a74db7c965059835d3655b70e528/spring-webflux/src/main/java/org/springframework/web/reactive/result/method/annotation/AbstractNamedValueArgumentResolver.java#L341

In other places of the code (e.g., https://github.com/spring-projects/spring-framework/blob/d79258ac7349d6ce9fb2574bb399b1d51c172def/spring-core/src/main/java/org/springframework/core/MethodParameter.java#L513 or https://github.com/spring-projects/spring-framework/blob/d79258ac7349d6ce9fb2574bb399b1d51c172def/spring-core/src/main/java/org/springframework/core/MethodParameter.java#L774), the return value of the getMethod method was checked for null value. But if we put it directly inside Objects.requireNonNull, we may have an exception.

A potential fix will be to replace the following line

Method method = Objects.requireNonNull(parameter.getMethod());

with

Method method = parameter.getMethod();
if (method == null) {
    return false;
}

Another option could be to use Objects.requireNonNullElse.

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

Comment From: jhoeller

Good catch, this is worth turning into a more defensive check within that local delegate (also in the equivalent code in AbstractNamedValueMethodArgumentResolver for Spring MVC). That said, in practice it is not an actual bug since all current invocation scenarios are method-based anyway.