Internal server error should actually be bad request

NCIOCPL / cgov-digital-platform-dynamic-services

Legacy CDE Services

1 stars 2 forks source link

Internal server error should actually be bad request #31

Open jfrank-nih opened 2 years ago

jfrank-nih commented 2 years ago

Accessing /Common/PopUps/popDefinition.aspx without providing the id attribute results in a 500 error. Security scan flags this and wants it suppressed. Nothing vulnerable is exposed.

Technically a 400 response would probably be more appropriate here as the request is bad without the ID.

Remedy

Throw a 400 response instead of a 500 response when no ID is provided.

jfrank-nih commented 2 years ago

Incidentally, I'd be inclined to log this one as a "we know but it's not worth fixing" if it is any harder than just changing a 5 to a 4 (or whatever the equivalent string values are) in the code.