dependency-track ERROR 400 Ambiguous URI path separator

Current Behavior

In my test environment, I set up a Docker Compose file with Dependency-Track version 4.12.0.

In production, we are currently running version 4.11.7, and the endpoint described below works without issues, both in production and the test environment.

We make extensive use of tags, especially prior to the introduction of the new tag feature, so it's fair to say that we overuse the /project/tag endpoint.

In the latest version, however, I'm unable to query tags because I receive a ERROR 400 Ambiguous URI path separator when a request query includes a tag that contains a forward slash /.

Were there any changes in the latest release regarding the handling of UTF-8 encoded query strings? Specifically, is there now any support for queries with slashes in tags?

Steps to Reproduce

Any query escaped string containing a slash to endpoint /project/tag`.

For example:

curl -X 'GET' \
  'http://localhost:9010/api/v1/project/tag/project%3Aeurope-north1-docker.pkg.dev%2Fmy-p?pageNumber=1&pageSize=100' \
  -H 'accept: application/json' \
  -H 'X-Api-Key: my-key'

Expected Behavior

Return all projects with that tag.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15

Browser

Other

Checklist

[x] I have read and understand the contributing guidelines
[x] I have checked the existing issues for whether this defect was already reported

Oct 10 '24 13:10 ybelMekk

Appears to be caused by a behavior change in Jetty: https://github.com/jetty/jetty.project/issues/12162

Oct 10 '24 15:10 nscuro

Thanks for quick feedback @nscuro .

Oct 10 '24 15:10 ybelMekk

There seem to be ways to make it behave like before, I'll ensure we ship a fix with the next bugfix release.

Oct 10 '24 15:10 nscuro

We’re experiencing the same issue and are looking forward to the fix. 🚀

Oct 22 '24 07:10 janweinkauff

Just waiting for an Alpine release so we can pull the fix in. Will release v4.12.1 immediately afterwards, it's ready otherwise.

Oct 22 '24 14:10 nscuro

I have a self hosted dependencytrack instance where I call the endpoint api/v1/badge/violations/project/PROJECT_NAME/latest?apiKey=API_KEY where PROJECT_NAME is url encoded: test%20%2Fproject. I'm still encountering an issue and in the logs it looks like a jetty problem. Can someone help with that?

2024-10-28 13:43:54,793 ERROR [ServerRuntime$Responder] An I/O error has occurred while writing a response message entity to the container output stream.
org.glassfish.jersey.server.internal.process.MappableException: org.eclipse.jetty.io.EofException
        at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:67)
        at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:139)
        at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1116)
        at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:691)
        at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:398)
        at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:388)
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
        at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
        at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
        at org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
        at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1614)
        at alpine.server.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:225)
        at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
        at alpine.server.filters.ClickjackingFilter.doFilter(ClickjackingFilter.java:93)
        at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
        at alpine.server.filters.WhitelistUrlFilter.doFilter(WhitelistUrlFilter.java:166)
        at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1547)
        at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:824)
        at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436)
        at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:464)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
        at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
        at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060)
        at org.eclipse.jetty.server.Server.handle(Server.java:182)
        at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
        at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:414)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
        at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:478)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:441)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.jetty.io.EofException: null
        at org.eclipse.jetty.io.SocketChannelEndPoint.flush(SocketChannelEndPoint.java:117)
        at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:422)
        at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:377)
        at org.eclipse.jetty.io.SelectableChannelEndPoint$2.run(SelectableChannelEndPoint.java:67)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:478)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:426)
        ... 7 common frames omitted
Caused by: java.io.IOException: Broken pipe
        at java.base/sun.nio.ch.SocketDispatcher.writev0(Native Method)
        at java.base/sun.nio.ch.SocketDispatcher.writev(Unknown Source)
        at java.base/sun.nio.ch.IOUtil.write(Unknown Source)
        at java.base/sun.nio.ch.IOUtil.write(Unknown Source)
        at java.base/sun.nio.ch.SocketChannelImpl.write(Unknown Source)
        at java.base/java.nio.channels.SocketChannel.write(Unknown Source)
        at org.eclipse.jetty.io.SocketChannelEndPoint.flush(SocketChannelEndPoint.java:111)
        ... 12 common frames omitted

Oct 28 '24 14:10 Yingrjimsch

@Yingrjimsch That is a different issue. org.eclipse.jetty.io.EofException basically means the client abandoned the connection before the server could send the complete response. Is that log always appearing when you request a badge?

Oct 28 '24 14:10 nscuro

@Yingrjimsch That is a different issue. org.eclipse.jetty.io.EofException basically means the client abandoned the connection before the server could send the complete response. Is that log always appearing when you request a badge?

No, if I request a badge through the project ID there is no problem Edit: My workflow requires requesting the badge throug name because the name is derivated from the git repo. Do you know what the problem could be? @nscuro any ideas, why this happens?

Oct 29 '24 09:10 Yingrjimsch

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Nov 30 '24 10:11 github-actions[bot]