Requests to some nonexistent REST endpoints returns HTTP status 405 instead of 404

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • None
    • Affects Version/s: 8.20.0, 8.20.16, 9.4.1, 9.5.1
    • Component/s: REST API
    • None
    • 8.2
    • 1
    • Severity 3 - Minor

      Issue Summary

      When requests are made to Jira REST API methods it is expected meaningful HTTP status responses so the client knows what's wrong (or not) with the request.

      On Jira a request to GET /rest/api/latest/ returns an HTTP status 405 (405 Method Not Allowed).

      Since this endpoint actually doesn't exist, it should return an HTTP status 404 (404 Not Found).

      The same behavior occurs with requests other than GET /rest/api/latest/ in case they exist as part of the path.
      For example, the ZDU API has multiple endpoints within the /rest/api/latest/cluster/zdu path.
      Running GET /rest/api/latest/cluster

      Interesting enough, if we run the OPTIONS method targeting the paths, then the only allowed method is OPTIONS.

      Steps to Reproduce

      1. Install a vanilla instance of Jira Software Data Center.
        • This was validated with JSW DC 8.20.16 and 9.5.1.
      2. Make a request to GET /rest/api/latest/cluster. 
        curl -v -k -L -XGET \
  -u <username>:<password> \
  -H 'content-type: application/json' \
  '<Jira-Base-URL>/rest/api/latest/cluster' -o /dev/null
        • This was validated with both basic and token authentication methods.

      Expected Results

      Jira respond to the request with HTTP 404 status as the endpoint requested doesn't exist (it's just a path for other endpoints).

      Actual Results

      Jira responds with a 405 meaning the endpoint exists, but GET isn't an implemented method for it.

      curl -v -k -L -XGET \
  -u admin:admin \
  -H 'content-type: application/json' \
  'http://localhost:8951/j951/rest/api/latest/cluster' -o /dev/null
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 127.0.0.1:8951...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to localhost (127.0.0.1) port 8951 (#0)
* Server auth using Basic with user 'admin'
> GET /j951/rest/api/latest/cluster HTTP/1.1
> Host: localhost:8951
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.85.0
> Accept: */*
> content-type: application/json
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 405
< X-AREQUESTID: 852x504x1
< Referrer-Policy: strict-origin-when-cross-origin
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors 'self'
< Strict-Transport-Security: max-age=31536000
< Set-Cookie: JSESSIONID=10474652779FA23D45660A7BBAAB26A8; Path=/j951; HttpOnly
< X-Seraph-LoginReason: OK
< Set-Cookie: atlassian.xsrf.token=B919-ZZ7F-E33J-XM5I_a7b869734bd1def916f61d7a6bea2c72a8ee0392_lin; Path=/j951
< X-ASESSIONID: 1vae7y3
< X-AUSERNAME: admin
< Allow: OPTIONS
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Date: Fri, 20 Jan 2023 17:12:37 GMT
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host localhost left intact

      curl -v -k -L -XOPTIONS \
  -u admin:admin \
  -H 'content-type: application/json' \
  'http://localhost:8951/j951/rest/api/latest/cluster' -o /dev/null
*   Trying 127.0.0.1:8951...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to localhost (127.0.0.1) port 8951 (#0)
* Server auth using Basic with user 'admin'
> OPTIONS /j951/rest/api/latest/cluster HTTP/1.1
> Host: localhost:8951
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.85.0
> Accept: */*
> content-type: application/json
>
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< X-AREQUESTID: 858x505x1
< Referrer-Policy: strict-origin-when-cross-origin
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: sandbox
< Strict-Transport-Security: max-age=31536000
< Set-Cookie: JSESSIONID=349FDE2EEF5FC17F553AD85F04C0A109; Path=/j951; HttpOnly
< X-Seraph-LoginReason: OK
< Set-Cookie: atlassian.xsrf.token=B919-ZZ7F-E33J-XM5I_b6ffef549287458f4fb1622263ac43cd5b9129e7_lin; Path=/j951
< X-ASESSIONID: d7m6ad
< X-AUSERNAME: admin
< Allow: OPTIONS
< Last-modified: Fri, 20 Jan 2023 11:40:27 BRT
< Vary: Accept
< Content-Type: application/xml;charset=UTF-8
< Content-Length: 4394
< Date: Fri, 20 Jan 2023 17:18:41 GMT
<
{ [4394 bytes data]
100  4394  100  4394    0     0   1795      0  0:00:02  0:00:02 --:--:--  1801
* Connection #0 to host localhost left intact

      Workaround

      When given a 405 HTTP status, make sure the REST API endpoint is described in the REST API reference.
      Reference:

            Assignee:
            Unassigned
            Reporter:
            Thiago Masutti (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: