Empty CSP header value breaks security filter

[pschichtel]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

When a realm doesn't have a CSP header configured under "Security Defenses", then all login-related pages fail with an HTTP 500.

The logs contains the following when the default log level is increased:

2024-05-10 21:51:49,949 ERROR [io.quarkus.vertx.http.runtime.QuarkusErrorHandler] (executor-thread-8) HTTP Request to /auth/realms/realm-name/protocol/openid-connect/3p-cookies/step1.html failed, error id: 5b1c2c8a-a315-42d8-9ce4-7d1c25fa6f52-27: java.lang.NullPointerException: Cannot invoke "Object.toString()" because the return value of "jakarta.ws.rs.core.MultivaluedMap.getFirst(Object)" is null
  at org.keycloak.headers.DefaultSecurityHeadersProvider.addHtmlHeaders(DefaultSecurityHeadersProvider.java:110)
  at org.keycloak.headers.DefaultSecurityHeadersProvider.addHeaders(DefaultSecurityHeadersProvider.java:81)
  at org.keycloak.services.filters.KeycloakSecurityHeadersFilter.filter(KeycloakSecurityHeadersFilter.java:43)
  at org.jboss.resteasy.reactive.server.handlers.ResourceResponseFilterHandler.handle(ResourceResponseFilterHandler.java:25)
  at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:150)
  at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
  at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
  at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
  at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
  at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
  at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
  at java.base/java.lang.Thread.run(Thread.java:840)

keycloak/services/src/main/java/org/keycloak/headers/DefaultSecurityHeadersProvider.java

Lines 109 to 110 in 3186b6d

	ContentSecurityPolicyBuilder csp = ContentSecurityPolicyBuilder.create(
	headers.getFirst(CONTENT_SECURITY_POLICY.getHeaderName()).toString());

this section is missing the check for non-null value that e.g. the addHeader() method has. 047e804 introduced this error.

Version

24.0.4

Regression

• The issue is a regression

Expected behavior

CSP header can be left blank and login still works albeit less securely.

Actual behavior

Login-related pages (realm login page, step1.html and possibly more) fail with HTTP 500.

How to Reproduce?

1. Create a realm
2. Remove the default value of the CSP
3. Try logging in to that realm

Anything else?

The affected realm in our deployment had this header cleared many releases go and it just started failing with one of the 24.0.* releases.