Previously we used IpAddressMatcher for matching ips. After upgrade to Spring boot 3.3, my tests start failing on cases I provide null as 'address'. due to internal checks NPE is thrown when null address supplied.
https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java#L103
in previous version (SB3.1) when null was provided it was internally handled as localhost ip ("localhost/127.0.0.1" InnetAddress). https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java#L109
To Reproduce Spring framework: 6.1.10 Spring boot: 3.3.1
perform: new IpAddressMatcher().matches(null)
Expected behavior spring matcher should internally consider null as localhost
Thanks in advance. If this intention to not have default assumption over null please let me know. I did not found it in any release note/ migration guide
Comment From: ankith2301
this issue is resolved i tried reproducing this is resolved
Comment From: sjohnr
@hananbs thanks for reporting this. I have just pushed a fix to main to fix this bug. I was not clear on which branches exhibited the bug but eventually found that it was introduced in 6.3 so I backported the fix to 6.3.x as well, and it should be available in 6.3.5 on Monday (Nov 18, 2024).
Unfortunately, there are no tests asserting that null is a valid input to the matches() method and we don't want to rely on InetAddress.getByName(null) to define the behavior here. So IpAddressMatcher#matches((String) null) returns false including for "127.0.0.1". This is now codified in a test.
I should also mention that a similar behavior was exhibited by the constructor so I have also added an assertion to the constructor that requires a non-empty input.