Filter out invalid URI and HTTP method in the error message of no handler found for a REST request #3459
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -56,6 +56,7 @@ | |
| import java.io.ByteArrayOutputStream; | ||
| import java.io.IOException; | ||
| import java.io.InputStream; | ||
| import java.net.URI; | ||
| import java.util.HashMap; | ||
| import java.util.HashSet; | ||
| import java.util.Iterator; | ||
|
|
@@ -447,7 +448,9 @@ private void handleUnsupportedHttpMethod( | |
| msg.append("Incorrect HTTP method for uri [").append(uri); | ||
| msg.append("] and method [").append(method).append("]"); | ||
| } else { | ||
| // Not using the error message directly from 'exception.getMessage()' to avoid unescaped HTML special characters, | ||
| // in case false-positive cross site scripting vulnerability is detected by common security scanners. | ||
| msg.append("Unexpected http method"); | ||
| } | ||
| if (validMethodSet.isEmpty() == false) { | ||
| msg.append(", allowed: ").append(validMethodSet); | ||
|
|
@@ -488,7 +491,14 @@ private void handleBadRequest(String uri, RestRequest.Method method, RestChannel | |
| try (XContentBuilder builder = channel.newErrorBuilder()) { | ||
| builder.startObject(); | ||
| { | ||
| try { | ||
| // Validate input URI to filter out HTML special characters in the error message, | ||
| // in case false-positive cross site scripting vulnerability is detected by common security scanners. | ||
| uri = new URI(uri).getPath(); | ||
| builder.field("error", "no handler found for uri [" + uri + "] and method [" + method + "]"); | ||
|
There was a problem hiding this comment. LGTM, do you want to sanitize There was a problem hiding this comment. Your review is so quick! Note: There was a problem hiding this comment. Updated in the new commit 863e272 . 👍 |
||
| } catch (Exception e) { | ||
| builder.field("error", "invalid uri has been requested"); | ||
| } | ||
| } | ||
| builder.endObject(); | ||
| channel.sendResponse(new BytesRestResponse(BAD_REQUEST, builder)); | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -553,6 +553,15 @@ public void testFaviconWithWrongHttpMethod() { | |
| assertThat(channel.getRestResponse().getHeaders().get("Allow"), hasItem(equalTo(RestRequest.Method.GET.toString()))); | ||
| } | ||
|
|
||
| public void testHandleBadRequestWithHtmlSpecialCharsInUri() { | ||
| final FakeRestRequest fakeRestRequest = new FakeRestRequest.Builder(NamedXContentRegistry.EMPTY).withPath( | ||
| "/<script>alert('xss');alert(\"java\");</script>" | ||
| ).build(); | ||
| final AssertingChannel channel = new AssertingChannel(fakeRestRequest, true, RestStatus.BAD_REQUEST); | ||
| restController.dispatchRequest(fakeRestRequest, channel, client.threadPool().getThreadContext()); | ||
| assertThat(channel.getRestResponse().content().utf8ToString(), containsString("invalid uri has been requested")); | ||
| } | ||
|
|
||
| public void testDispatchUnsupportedHttpMethod() { | ||
| final boolean hasContent = randomBoolean(); | ||
| final RestRequest request = RestRequest.request(xContentRegistry(), new HttpRequest() { | ||
|
|
@@ -623,6 +632,7 @@ public Exception getInboundException() { | |
| assertTrue(channel.getSendResponseCalled()); | ||
| assertThat(channel.getRestResponse().getHeaders().containsKey("Allow"), equalTo(true)); | ||
| assertThat(channel.getRestResponse().getHeaders().get("Allow"), hasItem(equalTo(RestRequest.Method.GET.toString()))); | ||
| assertThat(channel.getRestResponse().content().utf8ToString(), containsString("Unexpected http method")); | ||
|
There was a problem hiding this comment. I think this case case throws an exception when getHttpMethod() is requested, could you please add a test case with HTTP method like There was a problem hiding this comment. Looks like this test case shows the result of any unsupported HTTP method, since the handler for HTTP method will always throw an exception https://github.com/opensearch-project/OpenSearch/blob/2.0.0/server/src/test/java/org/opensearch/rest/RestControllerTests.java#L560. There was a problem hiding this comment. @reta Sorry I find it very hard to simulate the real process after receiving an specific wrong HTTP method in the unit test. There was a problem hiding this comment. Got it, sorry about that @tlfeng , thank you! There was a problem hiding this comment. Never mind at all 😁. Thanks for your opinion. |
||
| } | ||
|
|
||
| private static final class TestHttpServerTransport extends AbstractLifecycleComponent implements HttpServerTransport { | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super nit-pick (sorry):
Unexpected HTTP method(just to make it concise with previous errorIncorrect HTTP methodphrasing.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha, that definitely makes the messages neat.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in the commit c586b5b