search

devhub-tud / devhub

DevHub is a software system designed to give students a simple practical introduction into modern software development.
15 stars 8 forks source link

Redirect URI not properly escaped (404's on branch page session expiration) #301

Closed jwgmeligmeyling closed 8 years ago

jwgmeligmeyling commented 8 years ago

Some users try to access the branch page with the unencoded url ( /branch/refs/heads/Part_0 ). Probably, somewhere in Devhub, the url is still appearing unescaped, but where?

7:14:38.585 WARN  n.t.e.d.s.w.errors.NotFoundExceptionMapper - Resource was not found for method GET at http://devhub.ewi.tudelft.nl/courses/ti1706/1516/groups/86/branch/refs/heads/Part_0, failed with: Could not find resource for full path: http://devhub.ewi.tudelft.nl/courses/ti1706/1516/groups/86/branch/refs/heads/Part_0 (c1d4b7ae-083d-443d-9c3b-7dc99d7265fa)
javax.ws.rs.NotFoundException: Could not find resource for full path: http://devhub.ewi.tudelft.nl/courses/ti1706/1516/groups/86/branch/refs/heads/Part_0
    at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:112) ~[resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) ~[resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.core.registry.RootClassNode.match(RootClassNode.java:48) ~[resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.core.ResourceMethodRegistry.getResourceInvoker(ResourceMethodRegistry.java:444) ~[resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.core.SynchronousDispatcher.getInvoker(SynchronousDispatcher.java:234) ~[resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:171) ~[resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.10.Final.jar:na]
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.10.Final.jar:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0]
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89) [guice-servlet-4.0.jar:na]
    at nl.tudelft.ewi.devhub.server.web.filters.RepositoryAuthorizeFilter.doFilter(RepositoryAuthorizeFilter.java:85) [devhub-server.jar:na]
    at nl.tudelft.ewi.devhub.server.web.filters.RepositoryAuthorizeFilter.doFilter(RepositoryAuthorizeFilter.java:73) [devhub-server.jar:na]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-4.0.jar:na]
    at nl.tudelft.ewi.devhub.server.web.filters.UserAuthorizeFilter.doFilter(UserAuthorizeFilter.java:47) [devhub-server.jar:na]
    at nl.tudelft.ewi.devhub.server.web.filters.UserAuthorizeFilter.doFilter(UserAuthorizeFilter.java:40) [devhub-server.jar:na]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-4.0.jar:na]
    at com.google.inject.persist.PersistFilter.doFilter(PersistFilter.java:91) [guice-persist-4.0.jar:na]
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-4.0.jar:na]
    at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119) [guice-servlet-4.0.jar:na]
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133) [guice-servlet-4.0.jar:na]
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130) [guice-servlet-4.0.jar:na]
    at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) [guice-servlet-4.0.jar:na]
    at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130) [guice-servlet-4.0.jar:na]
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.Server.handle(Server.java:497) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) [jetty-io-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [jetty-util-9.2.10.v20150310.jar:9.2.10.v20150310]
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [jetty-util-9.2.10.v20150310.jar:9.2.10.v20150310]
    at java.lang.Thread.run(Thread.java:745) [na:1.8.0_72]
jwgmeligmeyling commented 8 years ago

@LiamClark any idea?

Fortijs commented 8 years ago

Bug replication method:

Log in and go to some branch Wait some time (login expires) Refresh the page and log in 404 I 'm not entirely sure, but I think the 404 only occurs when the url leads towards anything further than the /courses/ti1706/1516/groups/{groupnumber}/

jwgmeligmeyling commented 8 years ago

The branch name may contain slashes and is therefore an encoded segment of the URL. When we redirect you to the login form, we store the requested URL as an encoded query parameter. The input for this encoding is decoded in stead of encoded, causing the branch name to be decoded in the final result as well, making it unresolvable for the request router.