Improve error handling in commits page and REST endpoint

Adding a trail "%27" at the commits page URL in Bitbucket causes the application to output the error below.

This error is improper error handling as it shows the path to the git executable in the server as well as it exceeds the limits of the error page and does not give a clear message about what is the cause of the failure.

Accordingly to best practices on error handling and security:

Physical paths, versioning information, contents of stack traces and other data can be gathered and used to help further an attack. Applications should always fail safe. If an application fails to an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality, or worse create, modify or destroy data. Error messages may also aid in the identification of other attacks such as buffer overflows and SQL injection.

How to reproduce it

Web browser

1. Navigate to the following page on the browser
   <BITBUCKET_BASE_URL>/projects/<project>/repos/<repo>/commits/
2. Add encoded single quote (%27) at the end

REST request with bad commit hash

We can achieve the same results by running the GET to the commits endpoint

GET /rest/api/1.0/projects/<project>/repos/<repository>/commits/1%27

{
    "errors": [
        {
            "context": null,
            "message": "'/usr/bin/git rev-list --format=%H%x02%P%x02%aN%x02%aE%x02%at%x02%cN%x02%cE%x02%ct%n%B%n%x03END%x04 --no-walk=unsorted 1(') 1(')^@ --' exited with code 128 saying: fatal: bad revision '1(')'",
            "exceptionName": "com.atlassian.bitbucket.scm.CommandFailedException"
        }
    ]
}

REST request with empty commit hash and path parameter

GET request on: BITBUCKET_BASE_URL/rest/api/1.0/projects/{TEST}/repos/{test}/commits
with parameters {"path": "test_string'"}

Suggested solution.

Improve error handling on this page and endpoint, removing the path and providing a meaningful message about the cause of the error.