Git Product home page Git Product logo

Comments (7)

yawkat avatar yawkat commented on May 30, 2024 1

yea we should try to avoid user-controlled output in error messages.

from micronaut-core.

yawkat avatar yawkat commented on May 30, 2024 1

go ahead :)

from micronaut-core.

rlconst avatar rlconst commented on May 30, 2024

After investigation as an immediate workaround I can try to substitute io.micronaut.http.server.exceptions.URISyntaxHandler. The error itself reported from the guts of JDK java.net.URI.Parser#fail(java.lang.String, int)

from micronaut-core.

be-a-bee avatar be-a-bee commented on May 30, 2024

@yawkat , what is the recommendation here ?

Option 1 :
Offer a configuration to define whether the exception message should be suppressed or not.
Outcome message is to be suppressed (default) : "message":"Malformed URI"
Outcome message is NOT to be suppressed : "message":"Malformed URI: Illegal character in query at index 2: /?">="

Option 2:
Always suppress the exception message. If someone comes with a requirement that they want the exception to be printed, then implement Option 1.
Outcome : "message":"Malformed URI"

Option 3:
Always encode/escape the content in the exception message before printing to logs. for example < would be encoded as < .
Outcome : "message":"Malformed URI: Illegal character in query at index 2: /?"><tag>="

Option 4:
Offer a configuration to define whether the exception message should be suppressed, encoded or displayed as it is.
Outcome message is to be suppressed : "message":"Malformed URI"
Outcome message is to be encoded (default) : "message":"Malformed URI: Illegal character in query at index 2: /?"><tag>="
Outcome message is NOT to be suppressed : "message":"Malformed URI: Illegal character in query at index 2: /?">="

Personally I prefer Option 4 but Option 2 or Option 1 are also acceptable. What do the maintainers prefer ?

from micronaut-core.

yawkat avatar yawkat commented on May 30, 2024

@be-a-bee the path should not be included at all, so option 2. i dont think a config option is necessary. it's also fine if the index is included in the message, but we should avoid the user-supplied input altogether.

from micronaut-core.

be-a-bee avatar be-a-bee commented on May 30, 2024

Thanks @yawkat for the prompt response. If I may, I will contribute a PR for Option 2.

from micronaut-core.

sdelamo avatar sdelamo commented on May 30, 2024

closed via #10324

from micronaut-core.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.