From 94b7c12cde1b38eda5414bd88d6d068008cfb9f9 Mon Sep 17 00:00:00 2001 From: Dominic Schabel Date: Tue, 12 Jan 2021 11:56:44 +0100 Subject: [PATCH] Fixes #1067 JSON body response for HTTP 404 error may contain unsafe URL path characters. Thus removing path from the response Signed-off-by: Dominic Schabel --- ...orController.java => ErrorController.java} | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) rename hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/{StreamAwareErrorController.java => ErrorController.java} (64%) diff --git a/hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/StreamAwareErrorController.java b/hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/ErrorController.java similarity index 64% rename from hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/StreamAwareErrorController.java rename to hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/ErrorController.java index 39793afe74..da4c46be24 100644 --- a/hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/StreamAwareErrorController.java +++ b/hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/ErrorController.java @@ -8,6 +8,8 @@ */ package org.eclipse.hawkbit.app; +import java.util.Map; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -23,22 +25,23 @@ /** * Error page controller that ensures that ocet stream does not return text in * case of an error. - * */ @Controller // Exception squid:S3752 - errors need handling for all methods @SuppressWarnings("squid:S3752") -public class StreamAwareErrorController extends BasicErrorController { +public class ErrorController extends BasicErrorController { + + private static final String PATH = "path"; /** - * A new {@link StreamAwareErrorController}. + * A new {@link ErrorController}. * * @param errorAttributes * the error attributes * @param serverProperties * configuration properties */ - public StreamAwareErrorController(final ErrorAttributes errorAttributes, final ServerProperties serverProperties) { + public ErrorController(final ErrorAttributes errorAttributes, final ServerProperties serverProperties) { super(errorAttributes, serverProperties.getError()); } @@ -48,4 +51,19 @@ public ResponseEntity errorStream(final HttpServletRequest request, final return new ResponseEntity<>(status); } + @Override + @RequestMapping + public ResponseEntity> error(final HttpServletRequest request) { + final HttpStatus status = getStatus(request); + final Map body = getErrorAttributesWithoutPath(request); + return new ResponseEntity<>(body, status); + } + + private Map getErrorAttributesWithoutPath(final HttpServletRequest request) { + final Map body = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.ALL)); + if (body != null && body.containsKey(PATH)) { + body.remove(PATH); + } + return body; + } }