WorldHealthOrganization / app

COVID-19 App

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Stack Traces shouldn't be shared for server errors

brunobowden opened this issue · comments

Summary

Internal server - in this case a null pointer - shouldn't be shared outside the server. Though no information leakage seems to be possible at the moment, this should be fixed for the future.

Reproduction Steps

Note the back quote supplied for the jurisdictionType field as an invalid parameter. This should be rejected as invalid.

Beyond that, the more important fix is that any error like, e.g. Null-Pointer-Exception, shouldn't share the stack trace. We should make this optional though, so it could be shared on the development machines and maybe on the hacking server to be helpful for hackers.

curl -i \
  -H 'Content-Type: application/json' \
  -H 'Who-Client-ID: 00000000-0000-0000-0000-000000000000' \
  -H 'Who-Platform: WEB' \
  -X POST 'https://staging.whocoronavirus.org/WhoService/getCaseStats' \
  -d '{ "jurisdictions": [ { "jurisdictionType": "`"} ] }'

HTTP/2 500 
content-type: text/html;charset=utf-8
x-cloud-trace-context: f49bfc0c69eba3b36e1eb6babc64e3ca;o=1
date: Tue, 22 Dec 2020 19:13:22 GMT
server: Google Frontend
content-length: 8916
via: 1.1 google
alt-svc: clear

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>500 java.lang.NullPointerException
	at who.StoredCaseStats.load(StoredCaseStats.java:101)
	at who.WhoServiceImpl.getCaseStats(WhoServiceImpl.java:117)
	at sun.reflect.GeneratedMethodAccessor18.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at present.rpc.RpcInvocation$2.proceed(RpcInvocation.java:98)
	at present.rpc.RpcInterceptorChain$ChainedInvocation.proceed(RpcInterceptorChain.java:43)
	at present.rpc.RpcInterceptorChain$ChainedInvocation.proceed(RpcInterceptorChain.java:43)
...

Expected Behavior

  1. That if this error occurs, no stack trace is given
  2. That this causes a 400 bad argument response

Checklist:

@crazybob - any chance present-rpc can make it configurable to hide stack traces upon errors?

@matthewblain well spotted