API calls cause HTTP 500 internal errors

Question

API calls cause HTTP 500 internal errors

Closed this issue 6 months ago · 4 comments

Multiple endpoints have the same problem. If you send them an unescaped ampersand you can cause HTTP 500 internal error.

I will not list all the affected endpoints.

Basically, if an endpoint accepts an URL parameter and you send an unescaped ampersand %26, you cause:

HTTP ERROR 500 javax.servlet.ServletException: javax.servlet.ServletException: An error occurred while processing request to /exist/restxq/v1/corpora/0/play/&/rdf: err:XPST0003 Ampersands (&) must be escaped (following character was not a name start character).
[...]

One example to reproduce: ~~https://staging.dracor.org/api/corpora/%26~~ https://staging.dracor.org/api/v1/corpora/%26

Answer 1 · 2023-11-08T15:35:06.000Z

Closing this. Feel free to reopen.

Answer 2 · 2023-11-13T17:27:06.000Z

This looks like an eXist or jetty issue. We should keep an eye on it.

Answer 3 · 2024-01-07T12:44:43.000Z

What happened was that nginx decoded the URL path when proxying the request to eXist, so the it actually requested http://localhost:8080/exist/restxq/v1/corpora/& instead of http://localhost:8080/exist/restxq/v1/corpora/%26. This has been fixed in the above deployment repo commit. Try https://staging.dracor.org/api/v1/corpora/%26 which should show a blank page instead of an error.

https://staging.dracor.org/api/corpora/%26 still returns an error page, since it is redirected to /api/v0/corpora/&. That redirect performs the same URL decoding as the proxy configuration before. It's an edge case we will probably not fix.

Answer 4 · 2024-01-07T12:51:22.000Z

Of course, feel free to ignore.

This is just something that schemathesis produced.