Validate API input

[valentijnscholten]

Current Behavior

My log is full of these logs:

2023-02-06 09:30:42,873 ERROR [GlobalExceptionHandler] Uncaught internal server error
                  java.lang.IllegalArgumentException: Invalid UUID string:  
                  java.base/java.util.UUID.fromString1(Unknown Source)
                  java.base/java.util.UUID.fromString(Unknown Source)
                  alpine.persistence.AbstractAlpineQueryManager.getObjectByUuid(AbstractAlpineQueryManager.java:563)
                  org.dependencytrack.resources.v1.BomResource.uploadBom(BomResource.java:259)
                  jdk.internal.reflect.GeneratedMethodAccessor199.invoke(Unknown Source)
                  java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  java.base/java.lang.reflect.Method.invoke(Unknown Source)

Of course this is clearly a mistake by the user/client, but this shouldn't result in a 500 error and also not in log messages at ERROR level. The response to the client is Uncaught internal server error, which doesn't help the client.

Proposed Behavior

• validate input fields like uuid for having the correct format
• supply validation errors (4xx) to the client in case of errors
• ideally log some info about what is wrong (without exposing too much internal/sensitive details)

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

The suggestion I posted in https://github.com/DependencyTrack/dependency-track/issues/840#issuecomment-1146358660 somewhat fits into this.

If we could define requests and their formats in the OpenAPI spec, the generated code would also have syntactic validation.

[nscuro]

Should be fixed in v4.11 via https://github.com/DependencyTrack/dependency-track/pull/3590, https://github.com/DependencyTrack/dependency-track/pull/3590, and https://github.com/DependencyTrack/dependency-track/pull/3659

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.