[MAGNOLIA-9098] Error not handled in ResourceServlet with malicious resource path Created: 20/Sep/23  Updated: 20/Sep/23  Resolved: 20/Sep/23

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Minh Nguyen Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-09-20-15-56-02-645.png    
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled

 Description   

Steps to reproduce

  1. Hit url with malicious path under .resources
    1. E.g: https://www.swissre.com/.resources/swissre-web/webresources/img/logos/%20ns=netsparker(0x00%2001CA)
  2. Status code is 500

Expected results

MalformedPathException should be handled and throw another error code such as 404.

E.g:

Actual results

Status code is 500 internal server error

Development notes

  • In ResourcesServlet, do not catch exception when get resource
  • JcrResourceOrigin which implements ResourceOrigin throws MalformedPathException.


 Comments   
Comment by Minh Nguyen [ 20/Sep/23 ]

Created another https://jira.magnolia-cms.com/browse/MGNLRES-405 under resources module.

Generated at Mon Feb 12 04:38:35 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.