FrankChen021 opened a new pull request #12026:
URL: https://github.com/apache/druid/pull/12026
### Description
There's XSS vulnerabilities in some HTTP endpoints reported by a security
team. Some HTTP endpoints return the use parameters as error message in
text/html format when some user parameters are invalid. In this case, the
browser will parse the returned text and executes planted JavaScript code in it.
This PR fixes this problem by:
1. Returning an object instead of text for errors
2. explicitly setting the Content-Type to 'application/json'
Also, this PR replaces all related HTTP error response construction code
scattered among different code files by the newly added API. So, this patch
looks like a large change.
<hr>
##### Key changed/added classes in this PR
* `ResponseStatusException` is added to wrap any exceptions that want to
return specific HTTP status code
* `NotFoundException` and `BadRequestException`, which inherit from
`ResponseStatusException`, are provided mainly to simply code.
* `ResponseStatusExceptionMapper` is provided to map any
`ResponseStatusException` to a HTTP response which contains the error message
in json format
This PR has:
- [X] been self-reviewed.
- [ ] using the [concurrency
checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md)
(Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [ ] added Javadocs for most classes and all non-trivial methods. Linked
related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in
[licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
- [ ] added unit tests or modified existing tests to cover new code paths,
ensuring the threshold for [code
coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md)
is met.
- [ ] added integration tests.
- [X] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
