Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-78092

Add better error handling for specific URL so it doesn't expose source code

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Tomcat
    • None
    • 3
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      In specific scenario an error containing stack trace is returned from an Atlassian plugin for both web and API requests

      The URL are implemented in Jira naturally for gadget(dashboard) and I modulated a query-string that uri attribute was 1(that was not existed). The result was ABNORMAL(the HTML throws error-stack-log).

      <Jira BASE URL>/plugins/servlet/gadgets/dashboard-diagnostics?uri=1

      Accessing the above URL results in a 500 error, but the error stack trace is fully exposed. This issue seems to be related to Atlassian's error handling:

        1. 24-09-12-02.png
          24-09-12-02.png
          241 kB

            [JRASERVER-78092] Add better error handling for specific URL so it doesn't expose source code

            Samuel Kim added a comment -

            That URI don't be effected from tomcat configuration, e.g. WEB-INF/web.xml and server.xml.

            I tested a custom plugin and another Jira REST API(ex. /rest/api/2/avatar/{type}/system. I typed [asdf instead of {type}.), as a result, it return normal error-page.

             

            For reference, I configured a tomcat settings only in server.xml.

            <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false"
            showServerInfo="false" errorCode.0=”…” />

            and I commented all of <error-page> tag in WEB-INF/web.xml.

            Samuel Kim added a comment - That URI don't be effected from tomcat configuration, e.g. WEB-INF/web.xml and server.xml. I tested a custom plugin and another Jira REST API(ex. /rest/api/2/avatar/{type}/system. I typed [asdf instead of {type}.), as a result, it return normal error-page.   For reference, I configured a tomcat settings only in server.xml. — <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" errorCode.0=”…” /> — and I commented all of <error-page> tag in WEB-INF/web.xml.

              Unassigned Unassigned
              e68278496e06 Alex O
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: