Returning 200 Instead of 422 for Requests with Domains Containing Special Characters in the Body When Issuing TLS Server Certificates

[sambodirce]

The system demonstrates inconsistency in its HTTP status code responses when handling requests containing domains with special characters in the body for issuing TLS server certificates. Instead of returning the expected 422 Unprocessable Entity status code, the system consistently responds with a 200 OK status code. This deviation from the expected behavior poses potential risks to security and data integrity.

Details:

• Observed Behavior:

  • Requests containing domains with special characters in the body for issuing TLS server certificates consistently receive a 200 OK HTTP status code in response.
  • The response status code of 200 indicates successful processing of the request, which is misleading and inaccurate given the presence of invalid data (domains with special characters) in the request body.
  • This inconsistency occurs across all instances of such requests, indicating a systemic issue in the processing logic related to handling domains with special characters in TLS certificate issuance requests.

• Expected Behavior:

  • According to RESTful API conventions and best practices, requests containing invalid or unprocessable entity data should result in a 422 Unprocessable Entity status code.
  • The response should accurately reflect the presence of invalid data in the request body, prompting the client to rectify the issue and resubmit the request.

Impact:

• Security Implications:

  • Allowing TLS server certificates to be issued with domains containing special characters may introduce security vulnerabilities, as such certificates might not be properly recognized or validated by client systems.
  • Malicious actors could potentially exploit this inconsistency to manipulate or bypass certificate validation mechanisms, leading to unauthorized access or data breaches.

• Data Integrity Risks:

  • Inconsistent handling of requests with domains containing special characters compromises the integrity of the data exchange process between clients and servers, increasing the likelihood of data corruption or loss.

Test Data:

{
  "validity": {
    "from": "2024-03-09",
    "until": "2024-08-07"
  },
  "key_strength": "VERY_HIGH",
  "address": {
    "country": "PT",
    "state": "Lisboa",
    "locality": "Constantia",
    "street_address": "Patrice, Q12"
  },
  "name": "tmonblpsdj",
  "domains": ["example@domain!com"],
  "organization": "vxnrrltlkn"
}

[emjunior258]

Resolved