Fix Content-Sppoofing/Text injection vulnerability

rickettmwork · rickettmwork · commit 60d0ea1ef06b · 2020-10-27T14:45:07.000Z
diff --git a/server/src/fat/java/com/ibm/ws/lars/rest/ApiTest.java b/server/src/fat/java/com/ibm/ws/lars/rest/ApiTest.java
@@ -1281,7 +1281,7 @@ public void testServletSend500() throws ClientProtocolException, IOException {
     @Test
     public void testServletSend404() throws ClientProtocolException, IOException {
         String response = repository.doGet("/provoke-error-servlet?type=404", 404);
-        assertThat(response, containsString("Test Error"));
+        assertJsonErrorResponse(404, "Not found", response);
     }
 
     /**
diff --git a/server/src/main/java/com/ibm/ws/lars/rest/ErrorHandler.java b/server/src/main/java/com/ibm/ws/lars/rest/ErrorHandler.java
@@ -42,16 +42,27 @@ public class ErrorHandler extends HttpServlet {
 
     @Override
     protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        // copy the status code from the request, default to 500 if not set
+        Integer statusCode = (Integer)request.getAttribute("javax.servlet.error.status_code");
+        int status = (statusCode == null)?500:statusCode.intValue();
 
-        response.setStatus(500);
+        // copy the message from the request, but override it for error codes 500 and 404
+        String message = (String)request.getAttribute("javax.servlet.error.message");        
+        if(message == null || status == 500) {
+            message = "Internal server error, please contact the server administrator";
+        } else if(status == 404) {
+            message = "Not found";
+        }
+
+        response.setStatus(status);
         response.setContentType(MediaType.APPLICATION_JSON);
         PrintWriter printWriter = response.getWriter();
         JsonGenerator frontPageJsonGenerator = new JsonFactory().createGenerator(printWriter);
         frontPageJsonGenerator.setPrettyPrinter(new DefaultPrettyPrinter());
 
         frontPageJsonGenerator.writeStartObject();
-        frontPageJsonGenerator.writeStringField("message", "Internal server error, please contact the server administrator");
-        frontPageJsonGenerator.writeNumberField("statusCode", response.getStatus());
+        frontPageJsonGenerator.writeStringField("message", message);
+        frontPageJsonGenerator.writeNumberField("statusCode", status);
         frontPageJsonGenerator.writeEndObject();
 
         frontPageJsonGenerator.flush();
diff --git a/server/src/main/webapp/WEB-INF/web.xml b/server/src/main/webapp/WEB-INF/web.xml
@@ -31,9 +31,19 @@
 		<error-code>500</error-code>
 		<location>/error</location>
 	</error-page>
+
+	<error-page>
+		<error-code>404</error-code>
+		<location>/error</location>
+	</error-page>
 	
 	<error-page>
 		<exception-type>javax.servlet.ServletException</exception-type>
 		<location>/error</location>
 	</error-page>
-</web-app>
+
+	<error-page>
+		<exception-type>java.lang.Exception</exception-type>
+		<location>/error</location>
+	</error-page>
+</web-app>

Original file line number	Diff line number	Diff line change
`@@ -1281,7 +1281,7 @@ public void testServletSend500() throws ClientProtocolException, IOException {`
`1281`	`1281`	`@Test`
`1282`	`1282`	`public void testServletSend404() throws ClientProtocolException, IOException {`
`1283`	`1283`	`String response = repository.doGet("/provoke-error-servlet?type=404", 404);`
`1284`		`- assertThat(response, containsString("Test Error"));`
	`1284`	`+ assertJsonErrorResponse(404, "Not found", response);`
`1285`	`1285`	`}`
`1286`	`1286`
`1287`	`1287`	`/**`