Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthenticated request with a request path that contains a semicolon results in a server exception when using OIDC #31802

Closed
sschellh opened this issue Mar 13, 2023 · 13 comments · Fixed by #42684
Closed

Unauthenticated request with a request path that contains a semicolon results in a server exception when using OIDC #31802

sschellh opened this issue Mar 13, 2023 · 13 comments · Fixed by #42684
Labels
area/oidc kind/bug Something isn't working
Milestone
3.14.2

Comments

@sschellh
Copy link

Describe the bug

If an unauthenticated user submits a request with a request path that contains a semicolon, then that results in

  • a server exception in the backend
  • a not terminated request in the web browser.

This might be a problem because we see a lot of unauthenticated requests from the Internet for URIs like the ones below. Instead of just being rejected, they case a server exception.

/..;/..;/yahoo-phpinfo
/;/;/yahoo-phpinfo
/static..;/yahoo-phpinfo
/enterprise/;/;/myidtravel/webjars/swagger-ui/index.html
/layouts/;/;/info.php
/metadata/;/;/php/info.php
/metadata/;/;/checktterer

Full exception trace:

{
   "timestamp":"2023-03-11T11:00:00Z",
   "sequence":250678,
   "loggerClassName":"org.jboss.logging.Logger",
   "loggerName":"io.quarkus.vertx.http.runtime.QuarkusErrorHandler",
   "level":"ERROR",
   "message":"HTTP Request to /svn///;@example.com failed, error id: xxx",
   "threadName":"vert.x-eventloop-thread-1",
   "threadId":20,
   "mdc":{
      
   },
   "ndc":"",
   "hostName":"xxx",
   "processName":"quarkus-run.jar",
   "processId":1,
   "exception":{
      "refId":1,
      "exceptionType":"java.lang.IllegalArgumentException",
      "message":"Cookie value contains an invalid char: ;",
      "frames":[
         {
            "class":"io.netty.handler.codec.http.cookie.CookieEncoder",
            "method":"validateCookie",
            "line":48
         },
         {
            "class":"io.netty.handler.codec.http.cookie.ServerCookieEncoder",
            "method":"encode",
            "line":94
         },
         {
            "class":"io.vertx.core.http.impl.CookieImpl",
            "method":"encode",
            "line":147
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerResponse",
            "method":"setCookies",
            "line":725
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerResponse",
            "method":"prepareHeaders",
            "line":713
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerResponse",
            "method":"end",
            "line":408
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerResponse",
            "method":"end",
            "line":387
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerResponse",
            "method":"end",
            "line":456
         },
         {
            "class":"io.quarkus.vertx.http.runtime.filters.AbstractResponseWrapper",
            "method":"end",
            "line":233
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$4$1",
            "method":"onItem",
            "line":174
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$4$1",
            "method":"onItem",
            "line":165
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor",
            "method":"onItem",
            "line":43
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor",
            "method":"onItem",
            "line":43
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor",
            "method":"onItem",
            "line":43
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"withSubscriber",
            "line":52
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$4",
            "method":"onItem",
            "line":165
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$4",
            "method":"onItem",
            "line":155
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromItemSupplier",
            "method":"subscribe",
            "line":29
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromItemSupplier",
            "method":"subscribe",
            "line":29
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.DefaultUniEmitter",
            "method":"complete",
            "line":37
         },
         {
            "class":"io.smallrye.mutiny.groups.UniOnNull",
            "method":"lambda$failWith$1",
            "line":46
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualBiConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.groups.UniOnItem",
            "method":"lambda$transformToUni$4",
            "line":178
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateWithEmitter",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"withSubscriber",
            "line":52
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer",
            "method":"doDeny",
            "line":155
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$2",
            "method":"accept",
            "line":128
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$2",
            "method":"accept",
            "line":124
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.helpers.UniCallbackSubscriber",
            "method":"onItem",
            "line":73
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor",
            "method":"onItem",
            "line":43
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromItemSupplier",
            "method":"subscribe",
            "line":29
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromItemSupplier",
            "method":"subscribe",
            "line":29
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.DefaultUniEmitter",
            "method":"complete",
            "line":37
         },
         {
            "class":"io.smallrye.mutiny.groups.UniOnNull",
            "method":"lambda$failWith$1",
            "line":46
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualBiConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.groups.UniOnItem",
            "method":"lambda$transformToUni$4",
            "line":178
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateWithEmitter",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"withSubscriber",
            "line":52
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"with",
            "line":112
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"with",
            "line":89
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer",
            "method":"doPermissionCheck",
            "line":124
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$2",
            "method":"accept",
            "line":135
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer$2",
            "method":"accept",
            "line":124
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.helpers.UniCallbackSubscriber",
            "method":"onItem",
            "line":73
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"withSubscriber",
            "line":52
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"with",
            "line":112
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"with",
            "line":89
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer",
            "method":"doPermissionCheck",
            "line":124
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpAuthorizer",
            "method":"checkPermission",
            "line":101
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$3",
            "method":"handle",
            "line":207
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$3",
            "method":"handle",
            "line":199
         },
         {
            "class":"io.vertx.ext.web.impl.RouteState",
            "method":"handleContext",
            "line":1284
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImplBase",
            "method":"iterateNext",
            "line":177
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImpl",
            "method":"next",
            "line":141
         },
         {
            "class":"io.quarkus.resteasy.runtime.standalone.ResteasyStandaloneRecorder$3",
            "method":"handle",
            "line":178
         },
         {
            "class":"io.quarkus.resteasy.runtime.standalone.ResteasyStandaloneRecorder$3",
            "method":"handle",
            "line":148
         },
         {
            "class":"io.vertx.ext.web.impl.RouteState",
            "method":"handleContext",
            "line":1284
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImplBase",
            "method":"iterateNext",
            "line":177
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImpl",
            "method":"next",
            "line":141
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2$3$1",
            "method":"onItem",
            "line":125
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2$3$1",
            "method":"onItem",
            "line":115
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromItemSupplier",
            "method":"subscribe",
            "line":29
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromItemSupplier",
            "method":"subscribe",
            "line":29
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.DefaultUniEmitter",
            "method":"complete",
            "line":37
         },
         {
            "class":"io.smallrye.mutiny.groups.UniOnNull",
            "method":"lambda$failWith$1",
            "line":46
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualBiConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.groups.UniOnItem",
            "method":"lambda$transformToUni$4",
            "line":178
         },
         {
            "class":"io.smallrye.context.impl.wrappers.SlowContextualConsumer",
            "method":"accept",
            "line":21
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateWithEmitter",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"withSubscriber",
            "line":52
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2$3",
            "method":"onItem",
            "line":115
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2$3",
            "method":"onItem",
            "line":101
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniMemoizeOp",
            "method":"drain",
            "line":160
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniMemoizeOp",
            "method":"onItem",
            "line":180
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":60
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromItemSupplier",
            "method":"subscribe",
            "line":29
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"performInnerSubscription",
            "line":81
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor",
            "method":"onItem",
            "line":57
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor",
            "method":"onItem",
            "line":43
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor",
            "method":"onItem",
            "line":43
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"forward",
            "line":38
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem$KnownItemSubscription",
            "method":"access$100",
            "line":26
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.builders.UniCreateFromKnownItem",
            "method":"subscribe",
            "line":23
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransform",
            "method":"subscribe",
            "line":22
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni",
            "method":"subscribe",
            "line":25
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.operators.uni.UniMemoizeOp",
            "method":"subscribe",
            "line":84
         },
         {
            "class":"io.smallrye.mutiny.operators.AbstractUni",
            "method":"subscribe",
            "line":36
         },
         {
            "class":"io.smallrye.mutiny.groups.UniSubscribe",
            "method":"withSubscriber",
            "line":52
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2",
            "method":"handle",
            "line":101
         },
         {
            "class":"io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2",
            "method":"handle",
            "line":60
         },
         {
            "class":"io.vertx.ext.web.impl.RouteState",
            "method":"handleContext",
            "line":1284
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImplBase",
            "method":"iterateNext",
            "line":177
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImpl",
            "method":"next",
            "line":141
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$16",
            "method":"handle",
            "line":627
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$16",
            "method":"handle",
            "line":623
         },
         {
            "class":"io.vertx.ext.web.impl.RouteState",
            "method":"handleContext",
            "line":1284
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImplBase",
            "method":"iterateNext",
            "line":177
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImpl",
            "method":"next",
            "line":141
         },
         {
            "class":"io.quarkus.vertx.http.runtime.filters.accesslog.AccessLogHandler",
            "method":"handle",
            "line":151
         },
         {
            "class":"io.quarkus.vertx.http.runtime.filters.accesslog.AccessLogHandler",
            "method":"handle",
            "line":93
         },
         {
            "class":"io.vertx.ext.web.impl.RouteState",
            "method":"handleContext",
            "line":1284
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImplBase",
            "method":"iterateNext",
            "line":177
         },
         {
            "class":"io.vertx.ext.web.impl.RoutingContextImpl",
            "method":"next",
            "line":141
         },
         {
            "class":"io.vertx.ext.web.impl.RouterImpl",
            "method":"handle",
            "line":68
         },
         {
            "class":"io.vertx.ext.web.impl.RouterImpl",
            "method":"handle",
            "line":37
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$13",
            "method":"handle",
            "line":544
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$13",
            "method":"handle",
            "line":541
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$14",
            "method":"handle",
            "line":595
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$14",
            "method":"handle",
            "line":592
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$15",
            "method":"handle",
            "line":618
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$15",
            "method":"handle",
            "line":601
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$1",
            "method":"handle",
            "line":185
         },
         {
            "class":"io.quarkus.vertx.http.runtime.VertxHttpRecorder$1",
            "method":"handle",
            "line":160
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerRequestHandler",
            "method":"handle",
            "line":67
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerRequestHandler",
            "method":"handle",
            "line":30
         },
         {
            "class":"io.vertx.core.impl.EventLoopContext",
            "method":"emit",
            "line":55
         },
         {
            "class":"io.vertx.core.impl.DuplicatedContext",
            "method":"emit",
            "line":158
         },
         {
            "class":"io.vertx.core.http.impl.Http1xServerConnection",
            "method":"handleMessage",
            "line":145
         },
         {
            "class":"io.vertx.core.net.impl.ConnectionBase",
            "method":"read",
            "line":157
         },
         {
            "class":"io.vertx.core.net.impl.VertxHandler",
            "method":"channelRead",
            "line":153
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":442
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":420
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"fireChannelRead",
            "line":412
         },
         {
            "class":"io.netty.handler.timeout.IdleStateHandler",
            "method":"channelRead",
            "line":286
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":442
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":420
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"fireChannelRead",
            "line":412
         },
         {
            "class":"io.netty.handler.codec.ByteToMessageDecoder",
            "method":"fireChannelRead",
            "line":346
         },
         {
            "class":"io.netty.handler.codec.ByteToMessageDecoder",
            "method":"channelRead",
            "line":318
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":444
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":420
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"fireChannelRead",
            "line":412
         },
         {
            "class":"io.netty.channel.DefaultChannelPipeline$HeadContext",
            "method":"channelRead",
            "line":1410
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":440
         },
         {
            "class":"io.netty.channel.AbstractChannelHandlerContext",
            "method":"invokeChannelRead",
            "line":420
         },
         {
            "class":"io.netty.channel.DefaultChannelPipeline",
            "method":"fireChannelRead",
            "line":919
         },
         {
            "class":"io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe",
            "method":"read",
            "line":166
         },
         {
            "class":"io.netty.channel.nio.NioEventLoop",
            "method":"processSelectedKey",
            "line":788
         },
         {
            "class":"io.netty.channel.nio.NioEventLoop",
            "method":"processSelectedKeysOptimized",
            "line":724
         },
         {
            "class":"io.netty.channel.nio.NioEventLoop",
            "method":"processSelectedKeys",
            "line":650
         },
         {
            "class":"io.netty.channel.nio.NioEventLoop",
            "method":"run",
            "line":562
         },
         {
            "class":"io.netty.util.concurrent.SingleThreadEventExecutor$4",
            "method":"run",
            "line":997
         },
         {
            "class":"io.netty.util.internal.ThreadExecutorMap$2",
            "method":"run",
            "line":74
         },
         {
            "class":"io.netty.util.concurrent.FastThreadLocalRunnable",
            "method":"run",
            "line":30
         },
         {
            "class":"java.lang.Thread",
            "method":"run",
            "line":833
         }
      ]
   }
}

Expected behavior

The request is rejected with HTTP 401 unauthorized or HTTP 302 redirect to identity provider

Actual behavior

The request is running forever, the server log contains an exception.

How to Reproduce?

  1. Start your Quarkus application with following settings
quarkus.oidc.enabled=true
quarkus.oidc.application-type=web-app
quarkus.oidc.credentials.client-secret.method=post
quarkus.oidc.authentication.redirect-path=/
quarkus.oidc.authentication.restore-path-after-redirect=true
quarkus.oidc.authentication.java-script-auto-redirect=false
quarkus.oidc.authentication.user-info-required=true

  1. Make a call to a request URL like this one: http://localhost:8080/svn///;@example.com

  2. In the backend you find following exception:

ERROR [io.qua.ver.htt.run.QuarkusErrorHandler] (vert.x-eventloop-thread-3) HTTP Request to /svn///;@example.com failed, error id: f11d67d6-3985-4562-a7e3-dde95e01fef4-2: java.lang.IllegalArgumentException: Cookie value contains an invalid char: ;
	at io.netty.handler.codec.http.cookie.CookieEncoder.validateCookie(CookieEncoder.java:48)
	at io.netty.handler.codec.http.cookie.ServerCookieEncoder.encode(ServerCookieEncoder.java:94)
	at io.vertx.core.http.impl.CookieImpl.encode(CookieImpl.java:147)
	at io.vertx.core.http.impl.Http1xServerResponse.setCookies(Http1xServerResponse.java:725)
	at io.vertx.core.http.impl.Http1xServerResponse.prepareHeaders(Http1xServerResponse.java:713)
	at io.vertx.core.http.impl.Http1xServerResponse.end(Http1xServerResponse.java:408)
	at io.vertx.core.http.impl.Http1xServerResponse.end(Http1xServerResponse.java:387)
	at io.vertx.core.http.impl.Http1xServerResponse.end(Http1xServerResponse.java:456)
	at io.quarkus.vertx.http.runtime.filters.AbstractResponseWrapper.end(AbstractResponseWrapper.java:233)
	at io.quarkus.vertx.http.runtime.security.HttpAuthorizer$4$1.onItem(HttpAuthorizer.java:174)
	at io.quarkus.vertx.http.runtime.security.HttpAuthorizer$4$1.onItem(HttpAuthorizer.java:165)
	at io.smallrye.mutiny.operators.uni.UniOnItemTransformToUni$UniOnItemTransformToUniProcessor.onItem(UniOnItemTransformToUni.java:60)

Output of uname -a or ver

No response

Output of java -version

openjdk 11.0.7 2020-04-14 LTS

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.16.3.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Gradle 7.3.3

Additional information

No response
@sschellh sschellh added the kind/bug Something isn't working label Mar 13, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Mar 13, 2023

/cc @pedroigor (oidc), @sberyozkin (oidc)

@gsmet
Copy link
Member

gsmet commented Mar 13, 2023

i would expect the cookie values to be properly escaped by the low level layers. @sberyozkin could you have a look at what's going on?

@sberyozkin
Copy link
Member

@gsmet Sure, though I have to look after a few other issues first. It does appear that the lower level Vert.x code gets affected/confused by such a path, HttpAuthorizer code just tries to end the request where the exception is triggered, anonymous SecurityIdentity has been correctly calculated by this point, and the OIDC code does not even set any cookies AFAIK in such cases.

@sberyozkin
Copy link
Member

@sschellh Can you check please where the cookies are coming from unauthenticated requests when the path does not cause the exception ? Are these application specific cookies or set by Quarkus (please check what the browser console shows) ?

@sschellh
Copy link
Author

@sberyozkin There are no cookies. I called the application using curl to make sure there is nothign the browser sends. Same result.

me@host:~$ curl "http://localhost:8080/svn///;@example.com"
curl: (52) Empty reply from server

@sberyozkin
Copy link
Member

@sschellh What 'curl -v' shows when you call a path without these special characters?
Also, how is endpoint expected to handle authenticated requests with such special characters is setup ?
Please also show the relevant access log config

Thanks

@sschellh
Copy link
Author

@sberyozkin

  1. When the request is authenticated, then those requests are answered with an HTTP 404. I guess that makes perfect sense as the path does not exist.
  2. When making an unauthenticated call to a path that contains a semicolon, then the error shows up immediately in the log. There is no entry written to the access log though.
  3. When calling a valid URL, curl looks like this:
user@host:~$ curl http://localhost:8080 -v
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Content-Security-Policy: default-src 'self'
< location: https://.../authorize?response_type=code&client_id=xxx&scope=openid+profile+...&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=b95f5de5-36cc-4681-83f0-84c42fedfbbb
< content-length: 0
< set-cookie: q_auth=b95f5de5-36cc-4681-83f0-84c42fedfbbb; Max-Age=1800; Expires=Tue, 14 Mar 2023 09:44:48 GMT; Path=/; HTTPOnly
<
* Connection #0 to host localhost left intact

@sberyozkin
Copy link
Member

sberyozkin commented Mar 14, 2023
edited
Loading

@sschellh Thanks, so the request with special characters has no any server handler available, JAX-RS resource method or Vert.x route listening specifically to handle such requests.
I have to admit, I doubt 401 or 403 should be returned in such cases as it implies the path is protected as opposed to being just invalid/non-existent for the endpoint and you just should get 404. That confusing server exception should not happen though, and once it is resolved, 500 will likely be returned, as it it is a consequence of ending the request which has not been handled but as you see it won't be consistent with 404 you get when the request with special characters in the path is authenticated.

I think if you disable the proactive authentication then you might get 404 immediately since in that case the security layer runs as part of the JAX-RS chain so if the path handler does not exist 404 should be returned.

@sschellh
Copy link
Author

@sberyozkin

I just saw I forgot to list one setting. The root path is protected and hence those (invalid) paths would require authentication. Hence 401 (or 302 redirect to idp) seems logical.

quarkus.http.auth.permission.auth.paths=/*
quarkus.http.auth.permission.auth.policy=authenticated

@pmlopes
Copy link
Contributor

pmlopes commented Mar 20, 2023

There is nothing wrong with the URLs. According to https://www.rfc-editor.org/rfc/rfc3986#section-2

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~:/?#[]@!$&'()*+,;=

Are valid characters, so a ; isn't the problem, though. The exception message Cookie value contains an invalid char: ;claims that the cookie value contains invalid characters. A conditional breakpoint ends up in:

CodeAuthenticationMechanism#generateCodeFlowState()

Say you request: http://localhost:8080/?; The code will end up in:

} else if (context.request().query() != null) {
    CodeAuthenticationStateBean extraStateValue = new CodeAuthenticationStateBean();
    extraStateValue.setRestorePath("?" + context.request().query());
    cookieValue += (COOKIE_DELIM + encodeExtraStateValue(extraStateValue, configContext));
}

Note that the there is no PKCE so the encoder just returns context.request().query() as a call to getRestorePath().

As ; is valid in the query string, you are creating a cookie like:

q_auth=<UUID>|/?;              <-- note the ;

; is a cookie delimiter because a response can include multiple cookies in a single header. The spec doesn't allow multiple Set-Cookie headers. Because of that an exception is thrown but not properly handled in the OIDC common code.

The solution is to escape the cookie data before trying to encode. Note that It seems (didn't test) it doesn't happen when PKCE is enabled because in that case, PKCE will be encrypted as a json object including the restore path and base64 encoded, which "solves" it.

@sberyozkin
Copy link
Member

sberyozkin commented Mar 23, 2023
edited
Loading

Great stuff @pmlopes, thanks for doing this analysis, all right then, the culprit is quarkus-oidc after all :-). Would you be interested to create your first PR for quarkus oidc :-) ?

But what about for ex

set-cookie: q_auth=6b6a7588-802f-49ea-a276-64e6bac263d1|/auth/authenticateAndRedirect?url=http%3A%2F%2Flocalhost%3A3000%2F; Max-Age=1800; Expires=Wed, 22 Mar 2023 13:44:01 GMT; Path=/; HTTPOnly

See there, ; is also present in the state cookie value but it works ?

I'm a little bit wary about the encoding as then I guess we'd need to decode and there is always one short step to some unexpected results, if the path already contains an encoded %XX then we'll end up with double encoding it.

@gsmet
Copy link
Member

gsmet commented Aug 21, 2024

@pmlopes I'm personally a bit skeptical that Vert.x doesn't handle the encoding of the cookie for you given you use a proper API to add one cookie with a specific value - I would at least expect that ; is properly escaped.
Or at least we should have an option to get it done transparently, and have a VERY prominent javadoc stating pushing a value using Cookie is not safe.

Now, I will create a PR with a possible fix but I have no idea how to test it so it's more to start a conversation.

gsmet added a commit to gsmet/quarkus that referenced this issue Aug 21, 2024
@gsmet
Encode URL in OIDC cookie
6f27735 
Fix quarkusio#31802
@gsmet gsmet mentioned this issue Aug 21, 2024
Merged
@gsmet
Copy link
Member

gsmet commented Aug 21, 2024

I created #42684 to initiate a discussion.

@quarkus-bot quarkus-bot bot added this to the 3.16 - main milestone Sep 1, 2024
@gsmet gsmet modified the milestones: 3.16 - main, 3.14.2 Sep 2, 2024
gsmet added a commit to gsmet/quarkus that referenced this issue Sep 2, 2024
@gsmet
Encode URL in OIDC cookie
4746812 
Fix quarkusio#31802

(cherry picked from commit 3ffa6ec)
gsmet added a commit to gsmet/quarkus that referenced this issue Sep 3, 2024
@gsmet
Encode URL in OIDC cookie
13a3573 
Fix quarkusio#31802

(cherry picked from commit 3ffa6ec)
danielsoro pushed a commit to danielsoro/quarkus that referenced this issue Sep 20, 2024
@gsmet @danielsoro
Encode URL in OIDC cookie
0775f91 
Fix quarkusio#31802
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
3.14.2
Development

Successfully merging a pull request may close this issue.

Encode URL in OIDC cookie gsmet/quarkus
4 participants
@sberyozkin @pmlopes @gsmet @sschellh