Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null reference exception at ServerRequestParameters.ts in populateQueryParams #1411

Closed
1 task done
JasonPaape opened this issue Mar 24, 2020 · 3 comments
Closed
1 task done

Null reference exception at ServerRequestParameters.ts in populateQueryParams #1411

JasonPaape opened this issue Mar 24, 2020 · 3 comments
Labels
bug A problem that needs to be fixed for the feature to function as intended. p1 P1 and P2 are priorities of the bug. P1 bugs should get Fixed/Closed within 4 weeks.

Comments

@JasonPaape
Copy link

Library

  • msal@1.2.2-beta.3

Framework

Found while using Angular 9 with @azure/msal-angular 1.0.0-beta.4 but that's irrelevant, the bug is in msal-core.

Description

There is a null reference bug at msal-core/src/ServerRequestParameters.ts in function 'populateQueryParams' at line 116:
// sanity check for developer passed extraQueryParameters
const eQParams: StringDict = request.extraQueryParameters;
Where 'request' can be null. There is a check above on line 88 'if (request)' but line 116 is outside of that.
This happens when the 'populateQueryParams' is called from msal-core/src/UserAgentApplication.ts
in function 'acquireTokenSilent' at line 644:
serverAuthenticationRequest.populateQueryParams(account, null, adalIdTokenObject);
Note the second param passed is null.
The code in ServerRequestParameters.ts line 116 should have a null check or be moved into the above 'if (request)' block.

Security

No

Regression

Unknown

Configuration

Irrelevant.

Reproduction steps

  1. Call acquireTokenSilent with AuthenticationParameters containing values set to flow into this block on line 640 of UserAgentApplication.ts:
    // if user didn't pass login_hint/sid and adal's idtoken is present, extract the login_hint from the adalIdToken
    else if (!account && !StringUtils.isEmpty(adalIdToken)) {
  2. See that null gets passed on line 644
  3. And that in line 116 of ServerRequestParameters.ts a null exception occurs causing a runtime script exception visible in the console.

Expected behavior

Expect no script errors, and for aquireTokenSilent to function correctly.

Browsers

Not browser specific.
@JasonPaape JasonPaape added the bug A problem that needs to be fixed for the feature to function as intended. label Mar 24, 2020
@jasonnutter jasonnutter mentioned this issue Mar 25, 2020
Closed
2 tasks
@DarylThayil DarylThayil added the p1 P1 and P2 are priorities of the bug. P1 bugs should get Fixed/Closed within 4 weeks. label Mar 25, 2020
@Porges
Copy link
Contributor

Porges commented Apr 22, 2020
edited
Loading

This is the commit which introduces the bug: bf86b89#diff-01b40b5f69b6021ac7031ce85ef0d452L120-L123

The request parameter should be marked as optional, I don’t know how this is even typechecking at the callsite which is passing null?

Porges added a commit to Porges/microsoft-authentication-library-for-js that referenced this issue Apr 22, 2020
@Porges
Check if request is null in populateQueryParams
a89f799 
This addresses AzureAD#1411, AzureAD#1237, and AzureAD#1254. I don’t know why some of these type errors are passing compilation as they should be breaking it?

Untested, edited code in browser window.
@Porges Porges mentioned this issue Apr 22, 2020
Merged
@jasonnutter
Copy link
Contributor

@Porges It is not getting typechecked because strictNullChecks is disabled (which we are aware of and plan to fix, #1097).

I'll take a look at that PR, thanks!

@jasonnutter jasonnutter mentioned this issue Apr 22, 2020
Closed
1 task
@tnorling
Copy link
Collaborator

@JasonPaape This was included in msal@1.3.0 which was just released. Let us know if this is still an issue. Thanks!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug A problem that needs to be fixed for the feature to function as intended. p1 P1 and P2 are priorities of the bug. P1 bugs should get Fixed/Closed within 4 weeks.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Porges @jasonnutter @DarylThayil @tnorling @JasonPaape