search

grundic / teamcity-avatar

Plugin for displaying user avatars in Teamcity
13 stars 4 forks source link

java.lang.IllegalArgumentException: Illegal character in path at index 43 #11

Open ogerovich opened 7 years ago

ogerovich commented 7 years ago

job-chtcagent in the exception below is one of our user logins. Looks like the fix could be to change spaces to %20 before using the URL.

java.lang.IllegalArgumentException: Illegal character in path at index 43: http://api.tumblr.com/v2/blog/job-chtcagent (job-chtcagent)/avatar at java.net.URI.create(URI.java:852) at org.apache.http.client.methods.HttpGet.(HttpGet.java:69) at ru.mail.teamcity.avatar.supplier.impl.TumblrAvatarSupplier.doGetAvatarUrl(TumblrAvatarSupplier.java:37) at ru.mail.teamcity.avatar.supplier.impl.TumblrAvatarSupplier.getAvatarUrl(TumblrAvatarSupplier.java:31) at ru.mail.teamcity.avatar.service.AvatarServiceImpl$2.load(AvatarServiceImpl.java:86) at ru.mail.teamcity.avatar.service.AvatarServiceImpl$2.load(AvatarServiceImpl.java:82) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3589) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2374) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2337) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2252) at com.google.common.cache.LocalCache.get(LocalCache.java:3990) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3994) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4878) at ru.mail.teamcity.avatar.service.AvatarServiceImpl.getAvatarUrl(AvatarServiceImpl.java:156) at ru.mail.teamcity.avatar.web.AjaxAvatarController$1.handleRequest(AjaxAvatarController.java:71) at jetbrains.buildServer.controllers.AjaxRequestProcessor.processRequest(AjaxRequestProcessor.java:45) at ru.mail.teamcity.avatar.web.AjaxAvatarController.doHandle(AjaxAvatarController.java:54) at jetbrains.buildServer.controllers.BaseController.handleRequestInternal(BaseController.java:75) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:147) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:50) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at jetbrains.buildServer.maintenance.TeamCityDispatcherServlet.processedByMainServlet(TeamCityDispatcherServlet.java:50) at jetbrains.buildServer.maintenance.TeamCityDispatcherServlet.service(TeamCityDispatcherServlet.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at jetbrains.buildServer.web.jsp.JspPrecompilerFilter.doFilter(JspPrecompilerFilter.java:129) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at jetbrains.buildServer.web.DisableSessionIdFromUrlFilter.doFilter(DisableSessionIdFromUrlFilter.java:5) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:107) at jetbrains.buildServer.diagnostic.web.DiagnosticFilter.doFilter(DiagnosticFilter.java:84) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) at jetbrains.buildServer.web.DependencyParametersCalculationContextFilter.doFilter(DependencyParametersCalculationContextFilter.java:2) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) at jetbrains.buildServer.web.CSRFFilter.doFilter(CSRFFilter.java:100) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:73) at jetbrains.buildServer.web.DelegatingFilter.doFilter(DelegatingFilter.java:37) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at jetbrains.buildServer.web.ResponseFragmentFilter.doFilter(ResponseFragmentFilter.java:5) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1757) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1716) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.net.URISyntaxException: Illegal character in path at index 43: http://api.tumblr.com/v2/blog/job-chtcagent (job-chtcagent)/avatar at java.net.URI$Parser.fail(URI.java:2848) at java.net.URI$Parser.checkChars(URI.java:3021) at java.net.URI$Parser.parseHierarchical(URI.java:3105) at java.net.URI$Parser.parse(URI.java:3053) at java.net.URI.(URI.java:588) at java.net.URI.create(URI.java:850) ... 67 more

grundic commented 7 years ago

Hi @ogerovich, Thank you for the ticket.

Yep, looks like I have to URL encode user names to fix this. I don't have much time right now, so I don't know how long it could take for me. As a workaround, this user could select static avatar instead of using tumblr's.

ogerovich commented 7 years ago

Hi Grigoriy,

Thank you for that workaround. We will try it. Here is a similar exception that we also observe a lot:

java.lang.IllegalArgumentException: Illegal character in path at index 37: http://api.tumblr.com/v2/blog/unknown %3Ca title%3D%5C'Add this vcs username to my profile%5C' href%3D%5C'javascript%3A%3B%5C' onclick%3D%5C'BS.VcsUsername.addVcsNameFromModification(457046)%3B%5C'%3Eit%5C's me!%3C%5C%2Fa%3E/avatar at java.net.URI.create(URI.java:852) at org.apache.http.client.methods.HttpGet.(HttpGet.java:69) at ru.mail.teamcity.avatar.supplier.impl.TumblrAvatarSupplier.doGetAvatarUrl(TumblrAvatarSupplier.java:37) at ru.mail.teamcity.avatar.supplier.impl.TumblrAvatarSupplier.getAvatarUrl(TumblrAvatarSupplier.java:31) at ru.mail.teamcity.avatar.service.AvatarServiceImpl$2.load(AvatarServiceImpl.java:86) at ru.mail.teamcity.avatar.service.AvatarServiceImpl$2.load(AvatarServiceImpl.java:82) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3589) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2374) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2337) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2252) at com.google.common.cache.LocalCache.get(LocalCache.java:3990) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3994) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4878) at ru.mail.teamcity.avatar.service.AvatarServiceImpl.getAvatarUrl(AvatarServiceImpl.java:156) at ru.mail.teamcity.avatar.web.AjaxAvatarController$1.handleRequest(AjaxAvatarController.java:71) at jetbrains.buildServer.controllers.AjaxRequestProcessor.processRequest(AjaxRequestProcessor.java:45) at ru.mail.teamcity.avatar.web.AjaxAvatarController.doHandle(AjaxAvatarController.java:54) at jetbrains.buildServer.controllers.BaseController.handleRequestInternal(BaseController.java:75) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:147) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:50) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at jetbrains.buildServer.maintenance.TeamCityDispatcherServlet.processedByMainServlet(TeamCityDispatcherServlet.java:50) at jetbrains.buildServer.maintenance.TeamCityDispatcherServlet.service(TeamCityDispatcherServlet.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at jetbrains.buildServer.web.jsp.JspPrecompilerFilter.doFilter(JspPrecompilerFilter.java:129) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at jetbrains.buildServer.web.DisableSessionIdFromUrlFilter.doFilter(DisableSessionIdFromUrlFilter.java:5) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:107) at jetbrains.buildServer.diagnostic.web.DiagnosticFilter.doFilter(DiagnosticFilter.java:84) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) at jetbrains.buildServer.web.DependencyParametersCalculationContextFilter.doFilter(DependencyParametersCalculationContextFilter.java:2) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) at jetbrains.buildServer.web.CSRFFilter.doFilter(CSRFFilter.java:100) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:73) at jetbrains.buildServer.web.DelegatingFilter.doFilter(DelegatingFilter.java:37) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at jetbrains.buildServer.web.ResponseFragmentFilter.doFilter(ResponseFragmentFilter.java:5) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1757) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1716) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)

In this case, the user who submitted changelist 457046 has the default VCS name set to the same value as TC username. Is there a problem in the plugin with getting the TC account corresponding to the changelist author?

grundic commented 7 years ago

@ogerovich, is your TC instance internal or public? If you decode username of the las user unknown %3Ca title%3D%5C'Add this vcs username to my profile%5C' href%3D%5C'javascript%3A%3B%5C, you will get some weird result:

unknown <a title=\'Add this vcs username to my profile\' href=\'javascript:;\

It might be that someone tries to exploit #6

ogerovich commented 7 years ago

It's an internal instance. I see a bunch of these for different changelists. I doubt someone is trying to do something malicious. It seems like TC is trying to do something: BS.VcsUsername.addVcsNameFromModification. Any ideas how to deal with this or will a fix to the exploit take care of it?

grundic commented 7 years ago

I think you have to wait for a fix. It might be that I would need some information from you about the user and his configuration.

ogerovich commented 7 years ago

We can wait. This kind of exception appears for different changelists for different users. Some changelists belong to the user that runs Perforce Swarm code review tool, but some are from real TC users who have an account. Just let me know what info would help.

Thanks, Oleg.

ogerovich commented 6 years ago

We have another, possibly similar issue. If user's full name includes an apostrophe (e.g. Andy O'Hara), there is a javascript error for avatar.currentUser, "name" field:

avatar.currentUser = {
...
'name' = 'Andy O'Hara', // there is a red underline after O
...

Please also check 'extendedName' field.