SCIMReferenceCode icon indicating copy to clipboard operation
SCIMReferenceCode copied to clipboard
verified publisher icon AzureAD

Patch phone numbers triggers object null reference exception

Open GuidoNeele opened this issue 4 years ago • 0 comments

When an existing user is patched with a phone number that's not already in the list a null reference exception will occur.

https://github.com/AzureAD/SCIMReferenceCode/blob/ae181c1d0800a2a22333f0a4081c4012f39028e8/Microsoft.SystemForCrossDomainIdentityManagement/Protocol/Core2EnterpriseUserExtensions.cs#L934-L943

This checks if the phone number already exists, if not then the SingleOrDefault() will assign null to phoneNumber.

https://github.com/AzureAD/SCIMReferenceCode/blob/ae181c1d0800a2a22333f0a4081c4012f39028e8/Microsoft.SystemForCrossDomainIdentityManagement/Protocol/Core2EnterpriseUserExtensions.cs#L964

A few lines later (after retrieving the value of the patch operation) the phone number is updated while phoneNumber is null.

The same structure is used for patching email adresses, roles, addresses etc.

The patch body looked like this:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "Add",
            "path": "phoneNumbers[type eq \"work\"].value",
            "value": "1120"
        }
    ]
}

Phone numbers did exist but not of type 'work'.

GuidoNeele avatar Jul 13 '21 10:07 GuidoNeele