Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CreateServiceInstanceRequest Class is not handling empty request body exception #329

Closed
sreeteja7 opened this issue Aug 12, 2021 · 4 comments · Fixed by #333
Closed

CreateServiceInstanceRequest Class is not handling empty request body exception #329

sreeteja7 opened this issue Aug 12, 2021 · 4 comments · Fixed by #333
Milestone
3.4.0-M2

Comments

@sreeteja7
Copy link

When triggered PUT API v2/service_instances/{instance_id} by passing empty request body it gives complete stack trace which reveals the internals of the classes used

{
    "description": "Required request body is missing: public reactor.core.publisher.Mono<org.springframework.http.ResponseEntity<org.springframework.cloud.servicebroker.model.instance.CreateServiceInstanceResponse>> org.springframework.cloud.servicebroker.controller.ServiceInstanceController.createServiceInstance(java.util.Map<java.lang.String, java.lang.String>,java.lang.String,boolean,java.lang.String,java.lang.String,java.lang.String,org.springframework.cloud.servicebroker.model.instance.CreateServiceInstanceRequest)"
}

This is with spring-cloud-open-service-broker v3.3.0

Please open a CVE and fix this here /~https://github.com/spring-cloud/spring-cloud-open-service-broker/blob/8bdf3d6135b8308d07342eeb741b747596b1cfe0/spring-cloud-open-service-broker-core/src/main/java/org/springframework/cloud/servicebroker/model/instance/CreateServiceInstanceRequest.java
@sreeteja7
Copy link
Author

We see this issue in 2.1.x of Spring boot which is using spring broker 3.0.x

@sreeteja7
Copy link
Author

@royclarkson @scottfrederick
Would you want to check on this ?? I see you guys in the author section :)

@royclarkson
Copy link
Member

Thanks for reporting. We'll review and determine a proper fix.

@royclarkson
Copy link
Member

Can you confirm that you are using Spring Boot 2.1 and Spring Cloud Open Service Broker 3.0 and the specific versions of each? Have you tried to upgrade to the latest version 3.3.0 with Spring Boot 2.4? Where are you seeing the complete stack trace? Thanks.

royclarkson added a commit that referenced this issue Sep 30, 2021
@royclarkson
Return a 400 for a request with an empty body or mismatched content type
6695347 
The OSB spec states "If a Service Broker rejects a request due to a
mismatched Content-Type or the body is unprocessable it SHOULD respond with
400 Bad Request"

Previously, a request with an empty body or a mismatched content type would
result in exceptions being thrown that would be handled by the generic
exception handler in Spring Cloud Open Service Broker, which would then
return a 500 response.

see /~https://github.com/openservicebrokerapi/servicebroker/blob/v2.16/spec.md#content-type

closes #329
@royclarkson royclarkson mentioned this issue Sep 30, 2021
Merged
royclarkson added a commit that referenced this issue Sep 30, 2021
@royclarkson
Return a 400 for a request with an empty body or mismatched content type
3d7ce7d 
The OSB spec states "If a Service Broker rejects a request due to a
mismatched Content-Type or the body is unprocessable it SHOULD respond with
400 Bad Request"

Previously, a request with an empty body or a mismatched content type would
result in exceptions being thrown that would be handled by the generic
exception handler in Spring Cloud Open Service Broker, which would then
return a 500 response.

see /~https://github.com/openservicebrokerapi/servicebroker/blob/v2.16/spec.md#content-type

closes #329
@royclarkson royclarkson added this to the 3.4.0-M2 milestone Sep 30, 2021
royclarkson added a commit that referenced this issue Sep 30, 2021
@royclarkson
Return a 400 for a request with an empty body or mismatched content type
6b9e223 
The OSB spec states "If a Service Broker rejects a request due to a
mismatched Content-Type or the body is unprocessable it SHOULD respond with
400 Bad Request"

Previously, a request with an empty body or a mismatched content type would
result in exceptions being thrown that would be handled by the generic
exception handler in Spring Cloud Open Service Broker, which would then
return a 500 response.

see /~https://github.com/openservicebrokerapi/servicebroker/blob/v2.16/spec.md#content-type

closes #329
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.4.0-M2
2 participants
@royclarkson @sreeteja7