Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.x] Filter out invalid URI and HTTP method in the error message of no handler found for a REST request #3485

Merged
merged 1 commit into from
Jun 2, 2022
Merged

[Backport 2.x] Filter out invalid URI and HTTP method in the error message of no handler found for a REST request #3485

merged 1 commit into from
Jun 2, 2022

Conversation

opensearch-trigger-bot[bot]
Copy link
Contributor

@opensearch-trigger-bot opensearch-trigger-bot bot commented Jun 2, 2022
edited by tlfeng
Loading

Backport 2bfe8b3 from #3459

issue: #3453

@github-actions
Filter out invalid URI and HTTP method in the error message of no han…
bc24116 
…dler found for a REST request (#3459)

Filter out invalid URI and HTTP method of a error message, which shown when there is no handler found for a REST request sent by user, so that HTML special characters <>&"' will not shown in the error message.

The error message is return as mine-type `application/json`, which can't contain active (script) content, so it's not a vulnerability. Besides, no browsers are going to render as html when the mine-type is that.
While the common security scanners will raise a false-positive alarm for having HTML tags in the response without escaping the HTML special characters, so the solution only aims to satisfy the code security scanners.

Signed-off-by: Tianli Feng <ftianli@amazon.com>
(cherry picked from commit 2bfe8b3)
@opensearch-trigger-bot opensearch-trigger-bot bot requested review from a team and reta as code owners June 2, 2022 16:30
@tlfeng tlfeng added backport PRs or issues specific to backporting features or enhancments v2.1.0 Issues and PRs related to version 2.1.0 enhancement Enhancement or improvement to existing feature or request labels Jun 2, 2022
@tlfeng
Copy link
Collaborator

tlfeng commented Jun 2, 2022

@reta Thanks for your review! 👍

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Check success bc24116
Log 5726

Reports 5726

@reta reta merged commit dd9e978 into 2.x Jun 2, 2022
@github-actions github-actions bot deleted the backport/backport-3459-to-2.x branch June 2, 2022 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

Assignees
No one assigned
Labels
backport PRs or issues specific to backporting features or enhancments enhancement Enhancement or improvement to existing feature or request v2.1.0 Issues and PRs related to version 2.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tlfeng @opensearch-ci-bot @reta