[MGNLREST-132] Response includes JCR query error if the query has an error Created: 24/Oct/17  Updated: 25/Jan/18  Resolved: 19/Jan/18

Status: Closed
Project: Magnolia REST Framework
Component/s: None
Affects Version/s: None
Fix Version/s: 2.0.2

Type: Bug Priority: Major
Reporter: Christopher Zimmermann Assignee: Hieu Nguyen Duc
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 0d
Time Spent: 1d 0.5h
Original Estimate: 1d

Issue Links:
dependency
depends upon MGNLREST-97 Implement exception handling for rest... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Epic Link: REST Phase2
Sprint: Saigon 127, Saigon 128, Saigon 129, Saigon 130
Story Points: 1

 Description   

The endpoint should not return the query exception. This is a security problem, as it reveals too much about how the system is working. It will also be unexpected by a developer, and reduce trust in the system. (Its OK for it to show up in the logs.)

For example:
http://localhost:8080/magnoliaAuthor/.rest/delivery/stories/v1?tours=a358f3ad-5a03-4f5d-b0ab-cb2219100472&820a075a-8c95-4f00-b0ee-5f3bf339f1ff

Returns the text:
"javax.jcr.query.InvalidQueryException: Query:
SELECT * FROM [nt:base] AS t WHERE ([jcr:primaryType] = 'mgnl:composition') AND ([820a075a(*)-8c95-4f00-b0ee-5f3bf339f1ff] = '') AND ([tours] = 'a358f3ad-5a03-4f5d-b0ab-cb2219100472') ORDER BY LOWER(NAME(t)) ASC; expected: ]"

Another example - if i request an endpoint it cannot find "http://localhost:8080/magnoliaAuthor/.rest/delivery/tours"
I get response "RESTEASY003210: Could not find resource for full path: http://localhost:8080/magnoliaAuthor/.rest/delivery/tours" which I should not get.


Generated at Mon Feb 12 06:56:55 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.