Handle Servet Exception from jetty in Dropwizard - utf-8

There seems to be no way to handle ServletException caused by URI parsing failures in dropwizard(using version 2.0.18).
curl -i -s -k -X $'GET' $'https://localhost/api/search/query?searchString=%bf'
HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 06 May 2021 09:17:06 GMT
Content-Type: text/html;charset=iso-8859-1
Content-Length: 751
Connection: keep-alive
Cache-Control: must-revalidate,no-cache,no-store
Strict-Transport-Security: max-age=31536000; includeSubDomains
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 400 Unable to parse URI query</title>
</head>
<body><h2>HTTP ERROR 400 Unable to parse URI query</h2>
<table>
<tr><th>URI:</th><td>/search/query</td></tr>
<tr><th>STATUS:</th><td>400</td></tr>
<tr><th>MESSAGE:</th><td>Unable to parse URI query</td></tr>
<tr><th>SERVLET:</th><td>jersey</td></tr>
<tr><th>CAUSED BY:</th><td>javax.servlet.ServletException: Filtered request failed.</td></tr>
<tr><th>CAUSED BY:</th><td>org.eclipse.jetty.http.BadMessageException: 400: Unable to parse URI query</td></tr>
<tr><th>CAUSED BY:</th><td>org.eclipse.jetty.util.Utf8Appendable$NotUtf8Exception: Not valid UTF8! byte Bf in state 0</td></tr>
</table>
</body>
</html>
Main concern here is jetty is sending the stacktrace for exception, which can be a security concern.
Tried ExceptionMappers, but it's not working, as i think the exception is thrown from outside the application scope. How can this be avoided?

Related

When calling Google Admin Directory API to write recovery email, I get response status code 400 BAD REQUEST

Here is my code:
Here is the response:
2020/09/14 12:19:51.425: INFO Results for adding ppsEmailAddress as recovery email: {data=[object Object], finalURL=https://www.googleapis.com/admin/directory/v1/users/ttestaccount#pps.net, headers={Alt-Svc=h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43", Content-Length=357, Content-Type=application/json; charset=UTF-8, Date=Mon, 14 Sep 2020 19:19:51 GMT, Server=ESF, Vary=[Origin, X-Origin, Referer], X-Content-Type-Options=nosniff, X-Frame-Options=SAMEORIGIN, X-XSS-Protection=0}, initialURL=https://www.googleapis.com/admin/directory/v1/users/ttestaccount#pps.net, statusCode=400.0, statusReason=Bad Request}
Full code:
Trying to follow the Google API reference here, though something wrong with my syntax:
https://developers.google.com/admin-sdk/directory/v1/reference/users#resource
I made a similar request using the Google OAuth Playground
This was the format of my request:
PATCH /admin/directory/v1/users/youremail#joshgoldeneagle.com HTTP/1.1
Host: www.googleapis.com
Content-length: 45
Content-type: application/json
Authorization: Bearer {REPLACE WITH ACCESS TOKEN}
{
recoveryEmail: "yourPatchEmail#joshgoldeneagle.com"
}
Ensure that callGoogleAPI() makes a request in this format.
References:
https://developers.google.com/admin-sdk/directory/v1/reference/users/patch

Which IIS config causes the "405 Method not allowed" error for specific calls?

In our current WebAPI calls, only a few specific ones are returning the 405 error message (405 Method not allowed), the rest are working okay. The ones that are failing are only failing in a specific environment, in all the other environments all calls are returning 200 and everything is kosher.
Which IIS setting or system setting can cause this ? I am zooming in on this because this looks more like a systems/config issue.
Request URL : <hostname/GetAllStuff?userId=johndoe&sortByCustom=CreatedDate&sortByOrder=desc
Request Method: GET
Status Code: 405 Method Not Allowed
Remote Address: 172.72.78.33:443
Referrer Policy: no-referrer-when-downgrade
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Origin: *
Allow: GET,POST,DELETE,PUT
Cache-Control: no-cache
Content-Length: 136
Content-Type: application/json; charset=utf-8
Date: Tue, 06 Nov 2018 17:16:28 GMT
Expires: -1
The Response looks like this. What is strange is that ALL the API calls are 1.0 (api-version: 1.0) yet only a couple of calls throw this error and that too in a specific environment.
{
"Error": {
"Code": "UnsupportedApiVersion",
"Message": "The requested resource with API version '1.0' does not support HTTP method 'GET'."
}
}

pyopenssl send('GET / HTTP/1.0\r\n\r\n' doesn't returns 'HTTP/1.1 400 Bad Request\

I'm creating a SSL Connection using PyOpenSSL and the trying to make a GET call but i run into :
`'HTTP/1.1 400 Bad Request\r\nDate: Fri, 14 Jul 2017 20:04:51 GMT\r\nServer: Apache/2.4.18 (Ubuntu)\r\nContent-Length: 305\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n'
(Pdb) c
.. info: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at ecdhe-server Port 443</address>
</body></html>`
The Code i have is as follows :
1) I create SSL Connection as follows :
client = socket()
if self._proxy:
client.connect((proxy, 8080))
else:
client.connect((host_name, port))
context = Context(self._ssl_version)
if self._ciphers:
context.set_cipher_list(self._ciphers)
ssl_connection = Connection(context, client)
if self._extension=='SNI':
ssl_connection.set_tlsext_host_name(host_name)
ssl_connection.set_connect_state()
ssl_connection.do_handshake()
self._session_ref = ssl_connection.get_session()
self._ssl_connection = ssl_connection
And then call the get() function which is as follows:
def get(self, http_version='1.0'):
#self._ssl_connection.sendall("GET / HTTP/1.1\r\n\r\n")
self._ssl_connection.sendall("GET / HTTP/1.0\r\n\r\n")
response_contents = self._ssl_connection.recv(4096)
return response_contents
I tried all combinations of sendall and send(also i think) but i run into :
.. info: HTTP/1.1 400 Bad Request
Date: Fri, 14 Jul 2017 20:19:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 305
Connection: close
Content-Type: text/html; charset=iso-8859-1
I would appreciate if some one would help out in resolving the issue.

Invisible Google reCaptcha returns 410 when verifying user's input

We're using invisible reCaptcha and, once in a while, Google's Javascript code makes a request to Google's servers receiving a response status 410, instead of 200.
We don't have control over it as the request is being made by Google's reCaptcha Javascript code.
If the challenge has been presented to the user, the following is an example of what the failing request looks like:
GET https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYB...
And the response is:
HTTP/1.1 410 Gone
<HTML>
<HEAD>
<TITLE>Gone</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Gone</H1>
<H2>Error 410</H2>
</BODY>
</HTML>
It fails about 10% of the time. Below is a "history" of HTTP requests:
Request #1
POST https://www.google.com/recaptcha/api2/reload?k=6LcqZCEU...
v:r20170515161201
reason:fi
bcr:[1943341955,-150...
...
HTTP/1.1 200 OK
content-type: application/json
...
)]}'
["rresp","03AOPBWq_EYBOYkGkn-1S...",null,600,["pmeta",null,null,null,
null,[[["TileSelectionStreetSign",null,3,4,4,null,null,[]
]
,["dress",null,3,4,4,null,null,[]
]
]
,[]
]
]
,"multicaptcha",null,
["bgdata","Ly93d3cuWk5rOHFMZDlvNDZFa..."]
]
The above response looks like invalid JSON but is expected as detailed here
Request #2
GET https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYBOYk...
...
HTTP/1.1 200 OK
content-type: image/jpeg
content-length: 50528
...
<JPEG>
Request #3
POST https://www.google.com/recaptcha/api2/replaceimage?k=6LcqZCEUAA...
v:r20170515161201
c:03AOPBWq_EYBOYkGkn-1SplFL...
ds:[[5,6,9,10,13,14]]
HTTP/1.1 200 OK
content-type: application/json
...
)]}'
["dresp","03AOPBWq-Iyck5GCpx86hk57XSxF-9b4GMaDeujP...",[]
,null,[]
]
Request #4 (the failing one)
GET https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYBOYk...
...
HTTP/1.1 410 Gone
content-type: text/html
...
<HTML>
<HEAD>
<TITLE>Gone</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Gone</H1>
<H2>Error 410</H2>
</BODY>
</HTML>
This is basically because the session has expired. When ever you receive an error 410 (i.e. not successful and you still wish to upload the file), you must start a new session. Please have a look at the below link for details :
https://www.rfc-editor.org/rfc/rfc7231#section-6.5.9
Your call is GET. You need POST
Ref: https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYB..

web api returning invalid json - Unexpected token

I have a web api2 controller returning a collection of complex types.
This setup has been working for some time, until it started choking on a record today.
It appears that one of the objects (out of 122), is now breaking JSON.parse on the client.
Fiddler is also not able to parse JSON. As soon as i skip the "bad" object, valid JSON is returned.
here are the headers from the breaking response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcZGV2XEJTR1xBcHBzXENhbXBGb3JjZVx0cnVua1xQZXJtYWwuQlNHLkNhbXBGb3JjZS5XZWJcYXBpXGNhbXBcdGVtcGxhdGVz?=
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Tue, 18 Mar 2014 00:50:14 GMT
Content-Length: 1312
if i look at the serialized object string on the client, and paste it into jsonLint it points to this area:
"HtmlValue": "<html>\n\n<body...
this looks pretty much the same as all the "good" objects.. so i'm a bit stumped.
since web api is encoding the response as JSON, why would it allow breaking characters?
update
here is the breaking json (i retrieved it on client prior to deserialization:
[
{
"$id": "1",
"Id": "00Xg0000000MBGoEAO",
"Name": "Template Test",
"Body": null,
"HtmlValue": "<html>\n\n<body lang=EN-US style='tab-interval:.5in'>\n\n<div class=Section1>\n\n<p class=MsoNormal><span class=SpellE><span style='font-size:20.0pt;line-height:\n115%;font-family:\"Franklin Gothic Book\",\"sans-serif\"'></span></span><span\nstyle='font-size:20.0pt;line-height:115%;font-family:\"Franklin Gothic Book\",\"sans-serif\"'><o:p></o:p></span></p>\n\n<p class=MsoNormal>testing </p>\n\n<p class=MsoNormal><o:p> </o:p></p>\n\n</div>\n\n
<!-- Visual Studio Browser Link -->
<script type="application/json" id="__browserLink_initializationData">
{"appName":"Chrome"}
</script>
<script type="text/javascript" src="http: //localhost: 61319/6cd9cb905b1e4b5bb51cb5a36ea0bd17/browserLink" async="async"></script>
<!-- End Browser Link -->
</body>\n\n</html>",
"Subject": "Test",
"IsActive": true
}
]
the plot thickens.
this part is being inject into the HTML property
<!-- Visual Studio Browser Link -->
<script type="application/json" id="__browserLink_initializationData">
{"appName":"Chrome"}
</script>
<script type="text/javascript" src="http: //localhost: 61319/6cd9cb905b1e4b5bb51cb5a36ea0bd17/browserLink" async="async"></script>
<!-- End Browser Link -->
when i step through the code on the server, this snipped is not there, but when i view it in fiddler, i can see it injected in the response!

Resources