Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1520

[GHI#29458] Empty CSP header value breaks security filter

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      authentication

      Describe the bug

      When a realm doesn't have a CSP header configured under "Security Defenses", then all login-related pages fail with an HTTP 500.

      The logs contains the following when the default log level is increased:

      ```
      2024-05-10 21:51:49,949 ERROR [io.quarkus.vertx.http.runtime.QuarkusErrorHandler] (executor-thread-8) HTTP Request to /auth/realms/realm-name/protocol/openid-connect/3p-cookies/step1.html failed, error id: 5b1c2c8a-a315-42d8-9ce4-7d1c25fa6f52-27: java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "jakarta.ws.rs.core.MultivaluedMap.getFirst(Object)" is null
      at org.keycloak.headers.DefaultSecurityHeadersProvider.addHtmlHeaders(DefaultSecurityHeadersProvider.java:110)
      at org.keycloak.headers.DefaultSecurityHeadersProvider.addHeaders(DefaultSecurityHeadersProvider.java:81)
      at org.keycloak.services.filters.KeycloakSecurityHeadersFilter.filter(KeycloakSecurityHeadersFilter.java:43)
      at org.jboss.resteasy.reactive.server.handlers.ResourceResponseFilterHandler.handle(ResourceResponseFilterHandler.java:25)
      at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150)
      at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
      at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
      at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
      at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
      at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
      at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
      at java.base/java.lang.Thread.run(Thread.java:840)
      ```

      https://github.com/keycloak/keycloak/blob/3186b6db8efe5f1e9132e7fd48b35208a7d92fd6/services/src/main/java/org/keycloak/headers/DefaultSecurityHeadersProvider.java#L109-L110

      this section is missing the check for non-null value that e.g. the addHeader() method has. 047e80445f0e82cf2704943baf425fc6fa16d104 introduced this error.

      Version

      24.0.4

      Regression

      [X] The issue is a regression

      Expected behavior

      CSP header can be left blank and login still works albeit less securely.

      Actual behavior

      Login-related pages (realm login page, step1.html and possibly more) fail with HTTP 500.

      How to Reproduce?

      1. Create a realm
      2. Remove the default value of the CSP
      3. Try logging in to that realm

      Anything else?

      The affected realm in our deployment had this header cleared many releases go and it just started failing with one of the 24.0.* releases.

            Unassigned Unassigned
            pvlha Pavel Vlha
            Keycloak Core Clients
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: