aspnetboilerplate: Null reference exception in AntiForgery code

I’m getting logging events of Null Reference Exceptions thrown from this line in my production environment.

https://github.com/aspnetboilerplate/aspnetboilerplate/blob/124633706c9eb4022f501443b53eadba2a0f8a9f/src/Abp.Web.Mvc/Web/Mvc/Security/AntiForgery/AbpMvcAntiForgeryTokenManager.cs#L57

This code doesn’t look to have changed in a long time, and while I’m not getting any issues reported by my end users I am logging it happening around 4000 times a day.

Looking at the line I can’t really see any obvious candidates for things that could be null only some of the time, and I’ve been unable to replicate the problem in my local development environment with the debugger attached.

My best guess is that HttpContext.Current.Request must be null, possibly because the user caused the HTTP request to be cancelled at the client side before the AntiForgery code had executed, maybe it’s a side effect of the controller actions being async?

Would some null checks on the current context and request be reasonable here, or is there a better way to access cookies here, or does anyone have any other theories as to the cause?

Many thank Rob

System.NullReferenceException: Object reference not set to an instance of an object.
   at Abp.Web.Mvc.Security.AntiForgery.AbpMvcAntiForgeryManager.IsValid(String cookieValue, String tokenValue) in D:\GitHub\aspnetboilerplate\src\Abp.Web.Mvc\Web\Mvc\Security\AntiForgery\AbpMvcAntiForgeryTokenManager.cs:line 57
   at Abp.WebApi.Security.AntiForgery.AbpAntiForgeryApiFilter.<ExecuteAuthorizationFilterAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Abp.WebApi.Authorization.AbpApiAuthorizeFilter.<ExecuteAuthorizationFilterAsync>d__7.MoveNext() in D:\GitHub\aspnetboilerplate\src\Abp.Web.Api\WebApi\Authorization\AbpApiAuthorizeFilter.cs:line 70
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__6.MoveNext()```

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

@Robert-Laverick when I check the ASP.NET Core’s source code, it throws an exception;

public static void Validate(string cookieToken, string formToken)
{
  if (HttpContext.Current == null)
    throw new ArgumentException(WebPageResources.HttpContextUnavailable);
    
  AntiForgery._worker.Validate((HttpContextBase) new HttpContextWrapper(HttpContext.Current), cookieToken, formToken);
}

Thanks, it’s weird that we’re not hitting that exception, but I guess maybe I will now with the changes in 7.1? Who knows, I’ll test more and report back if it’s still miss behaving.

Although I’m a little confused by the code, since it looks like the arguments passed to the Manager from the Filter don’t match, one’s expecting two strings, and the other is sending a context, is there an alteration to the arguments in progress?

Two string parameters are sent here; https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.Web.Api/Web/Security/AntiForgery/AbpAntiForgeryManagerWebApiExtensions.cs#L34

Ahh, an extension method, I should have thought of that. Thanks for pointing it out.

+1
Robert-Laverick on Jan 11, 2022
Read more comments on GitHub
← aspnetboilerplate: Null exception in CacheBase
aspnetboilerplate: Problem in using FolderPlugInSource →