WebApi icon indicating copy to clipboard operation
WebApi copied to clipboard
verified publisher icon OData

call stack returned in odata response

Open MiaoDensmore opened this issue 6 years ago • 5 comments

Assemblies affected

Microsoft.AspNetCore.OData 7.2.1

Reproduce steps

In a non-development environment, if the odata stack invalidates an otherwise valid response, for example, if I did not specify “routes.MaxTop(null)” and there is a request coming in with “Top=100”, the response received by the caller will be something that looks like:

Id = 48, Status = RanToCompletion, Method = "{null}", Result = "{"error":{"code":"","message":"The query specified in the URI is not valid. The limit of '0' for Top query has been exceeded. The value from the incoming request is '100'.","details":[],"innererror":{"message":"The limit of '0' for Top query has been exceeded. The value from the incoming request is '100'.","type":"Microsoft.OData.ODataException","stacktrace":" at Microsoft.AspNet.OData.Query.Validators.TopQueryValidator.Validate(TopQueryOption topQueryOption, ODataValidationSettings validationSettings)\r\n at Microsoft.AspNet.OData.Query.Validators.ODataQueryValidator.Validate(ODataQueryOptions options, ODataValidationSettings validationSettings)\r\n at Microsoft.AspNet.OData.EnableQueryAttribute.ValidateQuery(HttpRequest request, ODataQueryOptions queryOptions)\r\n at Microsoft.AspNet.OData.EnableQueryAttribute.<>c__DisplayClass1_0.<OnActionExecuted>b__1(ODataQueryContext queryContext)\r\n at Microsoft.A spNet.OData.EnableQueryAttribute.ExecuteQuery(Object responseValue, IQueryable singleResultCollection, IWebApiActionDescriptor actionDescriptor, Func2 modelFunction, IWebApiRequestMessage request, Func2 createQueryOptionFunction)\r\n at Microsoft.AspNet.OData.EnableQueryAttribute.OnActionExecuted(Object responseValue, IQueryable singleResultCollection, IWebApiActionDescriptor actionDescriptor, IWebApiRequestMessage request, Func2 modelFunction, Func2 createQueryOptionFunction, Action1 createResponseAction, Action3 createErrorAction)"}}}" AsyncState: null CancellationPending: false CreationOptions: None Exception: null Id: 48 Result: "{"error":{"code":"","message":"The query specified in the URI is not valid. The limit of '0' for Top query has been exceeded. The value from the incoming request is '100'.","details":[],"innererror":{"message":"The limit of '0' for Top query has been exceeded. The value from the incoming request is '100'.","type":"Microsoft.OData.ODataException","stacktrace":" at Microsoft.AspNet.OData.Query.Validators.TopQueryValidator.Validate(TopQueryOption topQueryOption, ODataValidationSettings validationSettings)\r\n at Microsoft.AspNet.OData.Query.Validators.ODataQueryValidator.Validate(ODataQueryOptions options, ODataValidationSettings validationSettings)\r\n at Microsoft.AspNet.OData.EnableQueryAttribute.ValidateQuery(HttpRequest request, ODataQueryOptions queryOptions)\r\n at Microsoft.AspNet.OData.EnableQueryAttribute.<>c__DisplayClass1_0.<OnActionExecuted>b__1(ODataQueryContext queryContext)\r\n at Microsoft.AspNet.OData.EnableQueryAttribute.ExecuteQuery(Objec t responseValue, IQueryable singleResultCollection, IWebApiActionDescriptor actionDescriptor, Func2 modelFunction, IWebApiRequestMessage request, Func2 createQueryOptionFunction)\r\n at Microsoft.AspNet.OData.EnableQueryAttribute.OnActionExecuted(Object responseValue, IQueryable singleResultCollection, IWebApiActionDescriptor actionDescriptor, IWebApiRequestMessage request, Func2 modelFunction, Func2 createQueryOptionFunction, Action1 createResponseAction, Action3 createErrorAction)"}}}" Status: RanToCompletion

As you can see, the call stack is included in the response. Could we avoid having call stacks exposed to the caller?

Expected result

Call stacks shall not be returned

Actual result

call stack is exposed

Additional detail

Optional, details of the root cause if known. Delete this section if you have no additional details to add.

MiaoDensmore avatar Jan 03 '20 17:01 MiaoDensmore

@MiaoDensmore Thanks for reporting. There seems to be two issues mentioned in here that need to be looked at:

  1. The default value for the MaxTop. If nothing is specified, we should not limit the query option value.
  2. The service owner should have the ability to allow or suppress the stacktrace in the error response.

KanishManuja-MS avatar Jan 07 '20 17:01 KanishManuja-MS

Exposing call stack information is a security vulnerability. The default needs to be there is no call stack.

davidmilligan avatar Jan 15 '20 14:01 davidmilligan

Not only stack trace, but we have to suppress full type information too. For e.g. "Could not find a property named 'blah' on type 'FullNamespaceInformation.ClassName'".

devlie avatar Mar 18 '21 20:03 devlie

What's the status of this issue?

marcvannieuwenhuijzen avatar Dec 18 '23 10:12 marcvannieuwenhuijzen

Got a note for this in a security audit. Quite surprised there isn't an option for turning off stack traces already

spaasis avatar Jan 05 '24 08:01 spaasis