API calls cause HTTP 500 internal errors
Closed this issue · 4 comments
Multiple endpoints have the same problem. If you send them an unescaped ampersand you can cause HTTP 500 internal error.
I will not list all the affected endpoints.
Basically, if an endpoint accepts an URL parameter and you send an unescaped ampersand %26
, you cause:
HTTP ERROR 500 javax.servlet.ServletException: javax.servlet.ServletException: An error occurred while processing request to /exist/restxq/v1/corpora/0/play/&/rdf: err:XPST0003 Ampersands (&) must be escaped (following character was not a name start character).
[...]
One example to reproduce: https://staging.dracor.org/api/corpora/%26 https://staging.dracor.org/api/v1/corpora/%26
Closing this. Feel free to reopen.
This looks like an eXist or jetty issue. We should keep an eye on it.
What happened was that nginx decoded the URL path when proxying the request to eXist, so the it actually requested http://localhost:8080/exist/restxq/v1/corpora/&
instead of http://localhost:8080/exist/restxq/v1/corpora/%26
. This has been fixed in the above deployment repo commit. Try https://staging.dracor.org/api/v1/corpora/%26 which should show a blank page instead of an error.
https://staging.dracor.org/api/corpora/%26 still returns an error page, since it is redirected to /api/v0/corpora/&
. That redirect performs the same URL decoding as the proxy configuration before. It's an edge case we will probably not fix.
Of course, feel free to ignore.
This is just something that schemathesis produced.