ArrayIndexOutOfBoundsException in XorCsrfTokenRequestAttributeHandler

[mhankus]

java.lang.ArrayIndexOutOfBoundsException is thrown in XorCsrfTokenRequestAttributeHandler during attack
Affects version spring-security 6.0.3 (I have not tested 6.1)

java.lang.ArrayIndexOutOfBoundsException: arraycopy: last destination index 36 out of bounds for byte[8]
        at org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler.xorCsrf(XorCsrfTokenRequestAttributeHandler.java:119) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler.getTokenValue(XorCsrfTokenRequestAttributeHandler.java:99) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler.resolveCsrfTokenValue(XorCsrfTokenRequestAttributeHandler.java:73) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:121) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.9.jar!/:6.0.9]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.9.jar!/:6.0.9]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar!/:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar!/:6.0.3]

To reproduce modify csrf token values on client side (cookie based tokens)

Expected behavior
getTokenValue should validate encoded token length and return null if value is incorrect. Generating stacktrace for exception is much more expensive and may impact performance.

[RahulKumarNitP]

Can I work on this issue?

[jzheaux]

@kevin2jordan, are you still interested in this issue? A PR would be most welcome!

[RahulKumarNitP]

@jzheaux Have submitted the
PR: #13550
Would appreciate the PR review and any comments/feedback for the PR.