malformed uri

jaxrs/pom.xml

@@ -65,6 +65,10 @@
       <groupId>javax.inject</groupId>
       <artifactId>javax.inject</artifactId>
     </dependency>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>javax.servlet-api</artifactId>
+    </dependency>
     <dependency>
       <groupId>javax.ws.rs</groupId>
       <artifactId>javax.ws.rs-api</artifactId>

jaxrs/src/main/java/com/cerner/beadledom/jaxrs/JaxRsModule.java

@@ -1,7 +1,9 @@
 package com.cerner.beadledom.jaxrs;
 
 import com.cerner.beadledom.jaxrs.provider.CorrelationIdFilter;
+import com.cerner.beadledom.jaxrs.provider.MalformedRequestFilter;
 import com.google.inject.AbstractModule;
+import com.google.inject.Provides;
 import javax.inject.Singleton;
 
 /**
@@ -20,4 +22,9 @@ protected void configure() {
     bind(CorrelationIdFilter.class).toProvider(CorrelationIdFilterProvider.class)
         .in(Singleton.class);
   }
+
+  @Provides
+  MalformedRequestFilter provideMalformedRequestFilter() {
+    return new MalformedRequestFilter();
+  }
 }

jaxrs/src/main/java/com/cerner/beadledom/jaxrs/provider/FilteringJacksonJsonProvider.java

@@ -11,6 +11,7 @@
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Type;
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
@@ -32,6 +33,9 @@ public class FilteringJacksonJsonProvider extends JacksonJsonProvider {
   @Context
   UriInfo uriInfo;
 
+  @Context
+  HttpServletResponse httpServletResponse;
+
   /**
    * Creates a new instance of {@link FilteringJacksonJsonProvider}.
    */
@@ -52,6 +56,12 @@ public long getSize(
   public void writeTo(
       Object o, Class<?> type, Type genericType, Annotation[] annotations, MediaType mediaType,
       MultivaluedMap<String, Object> httpHeaders, OutputStream os) throws IOException {
+
+    if (httpServletResponse.getStatus() >= 400 ) {
+      super.writeTo(o, type, genericType, annotations, mediaType, httpHeaders, os);
+      return;
+    }
+
     String fields = uriInfo.getQueryParameters() == null ? null
         : uriInfo.getQueryParameters().getFirst("fields");
 

jaxrs/src/main/java/com/cerner/beadledom/jaxrs/provider/MalformedRequestFilter.java

@@ -0,0 +1,37 @@
+package com.cerner.beadledom.jaxrs.provider;
+
+import com.cerner.beadledom.json.common.model.JsonError;
+import java.net.URI;
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.PreMatching;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.Provider;
+
+/**
+ * The MalformedRequestFilter reads the request context and determines if the request has a valid uri structure if it
+ * does not then it aborts the request and responds with a 400
+ *
+ * @author Kyle Roush
+ */
+@Provider
+@Priority(Priorities.AUTHENTICATION)
+@PreMatching
+public class MalformedRequestFilter implements ContainerRequestFilter {
+
+  @Override
+  public void filter(ContainerRequestContext requestContext) {
+    try {
+      URI.create(requestContext.getUriInfo().getAbsolutePath().toString());
+    } catch (IllegalArgumentException e) {
+      requestContext.abortWith(
+              Response.status(400)
+                      .type(MediaType.APPLICATION_JSON)
+                      .entity(JsonError.builder().code(400).message("Malformed URI").build())
+                      .build());
+    }
+  }
+}

jaxrs/src/test/scala/com/cerner/beadledom/jaxrs/provider/FilteringJacksonJsonProviderSpec.scala

@@ -6,6 +6,7 @@ import com.fasterxml.jackson.databind.ObjectMapper
 import com.google.common.collect.Lists
 import java.io.{ByteArrayOutputStream, OutputStream}
 import java.nio.charset.Charset
+import javax.servlet.http.HttpServletResponse
 import javax.ws.rs.core._
 import org.jboss.resteasy.specimpl.MultivaluedMapImpl
 import org.mockito
@@ -32,11 +33,14 @@ class FilteringJacksonJsonProviderSpec
 
     it("serializes a FakeModel") {
       val uriInfo = Mockito.mock(classOf[UriInfo])
+      val httpServletResponse = Mockito.mock(classOf[HttpServletResponse])
       Mockito.when(uriInfo.getQueryParameters).thenReturn(new MultivaluedMapImpl[String, String])
+      Mockito.when(httpServletResponse.getStatus).thenReturn(200)
       val output = Mockito.mock(classOf[OutputStream])
 
       val filter = new FilteringJacksonJsonProvider(objectMapper)
       filter.uriInfo = uriInfo
+      filter.httpServletResponse = httpServletResponse
 
       filter.writeTo(fakeModel,
         fakeModel.getClass,
@@ -56,13 +60,17 @@ class FilteringJacksonJsonProviderSpec
 
     it("filters simple bean properties") {
       val uriInfo = Mockito.mock(classOf[UriInfo])
+      val httpServletResponse = Mockito.mock(classOf[HttpServletResponse])
+      Mockito.when(httpServletResponse.getStatus).thenReturn(200)
+
       val queryParams = new MultivaluedMapImpl[String, String]
       queryParams.add("fields", "id,name,times")
       Mockito.when(uriInfo.getQueryParameters).thenReturn(queryParams)
       val output = Mockito.mock(classOf[OutputStream])
 
       val filter = new FilteringJacksonJsonProvider(objectMapper)
       filter.uriInfo = uriInfo
+      filter.httpServletResponse = httpServletResponse
 
       filter.writeTo(fakeModel,
         fakeModel.getClass,
@@ -82,13 +90,17 @@ class FilteringJacksonJsonProviderSpec
 
     it("filters nested bean properties") {
       val uriInfo = Mockito.mock(classOf[UriInfo])
+      val httpServletResponse = Mockito.mock(classOf[HttpServletResponse])
+      Mockito.when(httpServletResponse.getStatus).thenReturn(200)
+
       val queryParams = new MultivaluedMapImpl[String, String]
       queryParams.add("fields", "id,name,inner_models/id")
       Mockito.when(uriInfo.getQueryParameters).thenReturn(queryParams)
       val output = new ByteArrayOutputStream()
 
       val filter = new FilteringJacksonJsonProvider(objectMapper)
       filter.uriInfo = uriInfo
+      filter.httpServletResponse = httpServletResponse
 
       filter.writeTo(fakeModel,
         fakeModel.getClass,
@@ -123,6 +135,9 @@ class FilteringJacksonJsonProviderSpec
               Venue("venue_id1", "THE venue", "THE place", tenors, vocalists, guitarists, failures)
 
       val uriInfo = Mockito.mock(classOf[UriInfo])
+      val httpServletResponse = Mockito.mock(classOf[HttpServletResponse])
+      Mockito.when(httpServletResponse.getStatus).thenReturn(200)
+
       val queryParams = new MultivaluedMapImpl[String, String]
       queryParams.add("fields",
         "id,name,tenors/pitch_pipe,tenors/name,tenors/albums/name,vocalists/albums/id,vocalists/albums/name," +
@@ -132,6 +147,7 @@ class FilteringJacksonJsonProviderSpec
 
       val filter = new FilteringJacksonJsonProvider(objectMapper)
       filter.uriInfo = uriInfo
+      filter.httpServletResponse = httpServletResponse
 
       filter.writeTo(venue,
         venue.getClass,
@@ -154,11 +170,15 @@ class FilteringJacksonJsonProviderSpec
 
     it("serializes a small FakeModel") {
       val uriInfo = Mockito.mock(classOf[UriInfo])
+      val httpServletResponse = Mockito.mock(classOf[HttpServletResponse])
+      Mockito.when(httpServletResponse.getStatus).thenReturn(200)
+
       Mockito.when(uriInfo.getQueryParameters).thenReturn(new MultivaluedMapImpl[String, String])
       val output = Mockito.mock(classOf[OutputStream])
 
       val filter = new FilteringJacksonJsonProvider(objectMapper)
       filter.uriInfo = uriInfo
+      filter.httpServletResponse = httpServletResponse
 
       val startTime = System.currentTimeMillis()
       filter.writeTo(fakeModel,
@@ -173,10 +193,14 @@ class FilteringJacksonJsonProviderSpec
     it("serializes a large FakeModel - about 6MB") {
       (0 until 100000).foreach({ value => fakeModel.innerModels.add(fakeInnerModel1) })
       val uriInfo = Mockito.mock(classOf[UriInfo])
+      val httpServletResponse = Mockito.mock(classOf[HttpServletResponse])
+      Mockito.when(httpServletResponse.getStatus).thenReturn(200)
+
       Mockito.when(uriInfo.getQueryParameters).thenReturn(new MultivaluedMapImpl[String, String])
 
       val filter = new FilteringJacksonJsonProvider(objectMapper)
       filter.uriInfo = uriInfo
+      filter.httpServletResponse = httpServletResponse
 
       (0 until 10).foreach { value =>
         System.gc()
@@ -200,12 +224,16 @@ class FilteringJacksonJsonProviderSpec
     it("serializes a large FakeModel with filtering - about 6MB") {
       (0 until 100000).foreach({ value => fakeModel.innerModels.add(fakeInnerModel1) })
       val uriInfo = Mockito.mock(classOf[UriInfo])
+      val httpServletResponse = Mockito.mock(classOf[HttpServletResponse])
+      Mockito.when(httpServletResponse.getStatus).thenReturn(200)
+
       val queryParams = new MultivaluedMapImpl[String, String]
       queryParams.add("fields", "id,name,inner_models/id")
       Mockito.when(uriInfo.getQueryParameters).thenReturn(queryParams)
 
       val filter = new FilteringJacksonJsonProvider(objectMapper)
       filter.uriInfo = uriInfo
+      filter.httpServletResponse = httpServletResponse
 
       (0 until 10).foreach { value =>
         System.gc()

jaxrs/src/test/scala/com/cerner/beadledom/jaxrs/provider/MalformedRequestFilterSpec.scala

@@ -0,0 +1,54 @@
+package com.cerner.beadledom.jaxrs.provider
+
+import java.net.URI
+
+import com.cerner.beadledom.json.common.model.JsonError
+import javax.ws.rs.container.ContainerRequestContext
+import javax.ws.rs.core.{MediaType, Response, UriInfo}
+import org.jboss.resteasy.specimpl.ResteasyUriInfo
+import org.mockito
+import org.mockito.{ArgumentCaptor, Mockito}
+import org.mockito.ArgumentMatchers.any
+import org.scalatest._
+
+import scala.collection.JavaConverters._
+import org.scalatestplus.mockito.MockitoSugar
+import org.scalatest.funspec.AnyFunSpec
+import org.scalatest.matchers.should.Matchers
+
+class MalformedRequestFilterSpec
+  extends AnyFunSpec with BeforeAndAfterAll with Matchers with MockitoSugar {
+
+  describe("MalformedRequestFilter with a valid URI") {
+
+    val containerRequestContext = Mockito.mock(classOf[ContainerRequestContext])
+    val uriInfo = new ResteasyUriInfo("http://localhost:8080", "")
+    Mockito.when(containerRequestContext.getUriInfo).thenReturn(uriInfo)
+
+    val malformedRequestFilter = new MalformedRequestFilter()
+
+    it("does not call abortWith") {
+      malformedRequestFilter.filter(containerRequestContext)
+
+      Mockito.verify(containerRequestContext).getUriInfo();
+      Mockito.verifyNoMoreInteractions(containerRequestContext);
+    }
+
+  }
+  describe("MalformedRequestFilter with an invalid URI") {
+
+    val containerRequestContext = Mockito.mock(classOf[ContainerRequestContext])
+    val uriInfo = new ResteasyUriInfo("http://localhost:8080", "?test=%9")
+    Mockito.when(containerRequestContext.getUriInfo).thenReturn(uriInfo)
+
+    val malformedRequestFilter = new MalformedRequestFilter()
+    it("calls abortWith") {
+      malformedRequestFilter.filter(containerRequestContext)
+
+      Mockito.verify(containerRequestContext)
+        .abortWith(any(classOf[Response]))
+
+    }
+
+  }
+}