Evelyn Liang created LIVY-895:
---------------------------------
Summary: Livy service improper error handling
Key: LIVY-895
URL: https://issues.apache.org/jira/browse/LIVY-895
Project: Livy
Issue Type: Bug
Components: API
Affects Versions: 0.7.0
Reporter: Evelyn Liang
Attachments: livy 500 sever error.rtf
Affected API: POST /sessions
Description: Application does not handle exceptions properly. When some junk
character is supplied to the parameter, it causes exception and server responds
with response code 500 which should not be visible to end user. It was observed
that throughout the applications and APIs in scope, JSON parsers, XML parsers
and the application server throws exceptions and stack traces in several cases.
Risk:
If an attacker probes the application by forging a request that contains
parameters or parameter values other than the ones expected by the application,
the application may enter an undefined state that makes it vulnerable to
attack. The attacker can gain useful
information from the application's response to this request, which information
may be exploited to locate application weaknesses.
Fix:
Check incoming requests for the presence of all expected parameters and values.
When a parameter is missing, issue a proper error message or use default
values. The application should verify that its input consists of valid
characters (after decoding). For example, an input value containing the null
byte (encoded as %00), apostrophe, quotes, etc. should be rejected. Enforce
values in their expected ranges and types.
Evidence:
In the attachment
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
