Stack Traces shouldn't be shared for server errors
brunobowden opened this issue · comments
Summary
Internal server - in this case a null pointer - shouldn't be shared outside the server. Though no information leakage seems to be possible at the moment, this should be fixed for the future.
Reproduction Steps
Note the back quote supplied for the jurisdictionType
field as an invalid parameter. This should be rejected as invalid.
Beyond that, the more important fix is that any error like, e.g. Null-Pointer-Exception, shouldn't share the stack trace. We should make this optional though, so it could be shared on the development machines and maybe on the hacking server to be helpful for hackers.
curl -i \
-H 'Content-Type: application/json' \
-H 'Who-Client-ID: 00000000-0000-0000-0000-000000000000' \
-H 'Who-Platform: WEB' \
-X POST 'https://staging.whocoronavirus.org/WhoService/getCaseStats' \
-d '{ "jurisdictions": [ { "jurisdictionType": "`"} ] }'
HTTP/2 500
content-type: text/html;charset=utf-8
x-cloud-trace-context: f49bfc0c69eba3b36e1eb6babc64e3ca;o=1
date: Tue, 22 Dec 2020 19:13:22 GMT
server: Google Frontend
content-length: 8916
via: 1.1 google
alt-svc: clear
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>500 java.lang.NullPointerException
at who.StoredCaseStats.load(StoredCaseStats.java:101)
at who.WhoServiceImpl.getCaseStats(WhoServiceImpl.java:117)
at sun.reflect.GeneratedMethodAccessor18.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at present.rpc.RpcInvocation$2.proceed(RpcInvocation.java:98)
at present.rpc.RpcInterceptorChain$ChainedInvocation.proceed(RpcInterceptorChain.java:43)
at present.rpc.RpcInterceptorChain$ChainedInvocation.proceed(RpcInterceptorChain.java:43)
...
Expected Behavior
- That if this error occurs, no stack trace is given
- That this causes a 400 bad argument response
Checklist:
- Searched the existing issues to ensure you are not creating a duplicate.
- Followed the Contributor Guidelines.
@crazybob - any chance present-rpc
can make it configurable to hide stack traces upon errors?
@matthewblain well spotted