ring icon indicating copy to clipboard operation
ring copied to clipboard

Published 20 hours ago verified publisher icon ring-clojure

URL path causes exception in resource middleware

Open brown131 opened this issue 3 years ago • 3 comments

The following URL path causes an exception/internal server error in the function in ring.middleware.resource/resource-request.

//host:port/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/etc/passwd

Version: ring/ring-core 1.9.4

Exception: clojure.lang.ExceptionInfo: java.lang.NumberFormatException in Interceptor :io.pedestal.http.ring-middlewares/resource - For input string: "uf" at io.pedestal.interceptor.chain$throwable__GT_ex_info.invokeStatic(chain.clj:35) at io.pedestal.interceptor.chain$throwable__GT_ex_info.invoke(chain.clj:32) at io.pedestal.interceptor.chain$try_f.invokeStatic(chain.clj:57) at io.pedestal.interceptor.chain$try_f.invoke(chain.clj:44) at io.pedestal.interceptor.chain$process_all_with_binding.invokeStatic(chain.clj:171) at io.pedestal.interceptor.chain$process_all_with_binding.invoke(chain.clj:146) at io.pedestal.interceptor.chain$process_all$fn__20431.invoke(chain.clj:188) at clojure.lang.AFn.applyToHelper(AFn.java:152) at clojure.lang.AFn.applyTo(AFn.java:144) at clojure.core$apply.invokeStatic(core.clj:667) at clojure.core$with_bindings_STAR_.invokeStatic(core.clj:1990) at clojure.core$with_bindings_STAR_.doInvoke(core.clj:1990) at clojure.lang.RestFn.invoke(RestFn.java:425) at io.pedestal.interceptor.chain$process_all.invokeStatic(chain.clj:186) at io.pedestal.interceptor.chain$process_all.invoke(chain.clj:182) at io.pedestal.interceptor.chain$enter_all.invokeStatic(chain.clj:235) at io.pedestal.interceptor.chain$enter_all.invoke(chain.clj:229) at io.pedestal.interceptor.chain$execute.invokeStatic(chain.clj:379) at io.pedestal.interceptor.chain$execute.invoke(chain.clj:352) at io.pedestal.interceptor.chain$execute.invokeStatic(chain.clj:389) at io.pedestal.interceptor.chain$execute.invoke(chain.clj:352) at io.pedestal.http.impl.servlet_interceptor$interceptor_service_fn$fn__23017.invoke(servlet_interceptor.clj:351) at io.pedestal.http.servlet.FnServlet.service(servlet.clj:28) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1631) at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:487) at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:336) at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:301) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:763) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:400) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: java.lang.NumberFormatException: For input string: "uf" at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.base/java.lang.Integer.parseInt(Integer.java:652) at java.base/java.lang.Integer.valueOf(Integer.java:957) at ring.util.codec$parse_bytes$fn__16192.invoke(codec.clj:44) at clojure.core$map$fn__5935.invoke(core.clj:2772) at clojure.lang.LazySeq.sval(LazySeq.java:42) at clojure.lang.LazySeq.seq(LazySeq.java:51) at clojure.lang.RT.seq(RT.java:535) at clojure.lang.Numbers.byte_array(Numbers.java:1424) at ring.util.codec$parse_bytes.invokeStatic(codec.clj:45) at ring.util.codec$parse_bytes.invoke(codec.clj:41) at ring.util.codec$percent_decode$fn__16197.invoke(codec.clj:56) at clojure.string$replace_by.invokeStatic(string.clj:69) at clojure.string$replace.invokeStatic(string.clj:106) at clojure.string$replace.invoke(string.clj:75) at ring.util.codec$percent_decode.invokeStatic(codec.clj:53) at ring.util.codec$percent_decode.invoke(codec.clj:47) at ring.util.codec$url_decode.invokeStatic(codec.clj:77) at ring.util.codec$url_decode.invoke(codec.clj:71) at ring.util.codec$url_decode.invokeStatic(codec.clj:75) at ring.util.codec$url_decode.invoke(codec.clj:71) at ring.middleware.resource$resource_request.invokeStatic(resource.clj:17) at ring.middleware.resource$resource_request.invoke(resource.clj:9) at ring.middleware.resource$resource_request.invokeStatic(resource.clj:14) at ring.middleware.resource$resource_request.invoke(resource.clj:9) at io.pedestal.http.ring_middlewares$resource$fn__22357.invoke(ring_middlewares.clj:146) at io.pedestal.interceptor.helpers$handler$fn__20673.invoke(helpers.clj:261) at clojure.lang.AFn.applyToHelper(AFn.java:154) at clojure.lang.AFn.applyTo(AFn.java:144) at clojure.core$apply.invokeStatic(core.clj:669) at clojure.core$apply.invoke(core.clj:662) at io.pedestal.interceptor.helpers$before$fn__20598.invoke(helpers.clj:109) at io.pedestal.interceptor.chain$try_f.invokeStatic(chain.clj:54) ... 55 common frames omitted

brown131 avatar May 09 '22 13:05 brown131

What should it do instead? The HTTP server is passing it an invalid URL path, as far as I can see?

weavejester avatar May 09 '22 13:05 weavejester

Would it be possible to handle this as a 400 bad request instead of a 500? That seems preferable to me since it is the client that is asking for something invalid. It would be nice to have an easy way to control what should happen in this situation. I love how ring turns the request into data. I'm not sure if there is a reasonable way to turn a bad request into data though.

cj-hurst avatar May 17 '22 21:05 cj-hurst