Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR 400 Ambiguous URI path separator #4238

Open
2 tasks done
ybelMekk opened this issue Oct 10, 2024 · 5 comments
Open
2 tasks done

ERROR 400 Ambiguous URI path separator #4238

ybelMekk opened this issue Oct 10, 2024 · 5 comments
Assignees
@nscuro
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.12.1

Comments

@ybelMekk
Copy link
Contributor

ybelMekk commented Oct 10, 2024
edited
Loading

Current Behavior

In my test environment, I set up a Docker Compose file with Dependency-Track version 4.12.0.

In production, we are currently running version 4.11.7, and the endpoint described below works without issues, both in production and the test environment.

We make extensive use of tags, especially prior to the introduction of the new tag feature, so it's fair to say that we overuse the /project/tag endpoint.

In the latest version, however, I'm unable to query tags because I receive a ERROR 400 Ambiguous URI path separator when a request query includes a tag that contains a forward slash /.

Were there any changes in the latest release regarding the handling of UTF-8 encoded query strings? Specifically, is there now any support for queries with slashes in tags?

Steps to Reproduce

  1. Any query escaped string containing a slash to endpoint /project/tag`.

For example:

curl -X 'GET' \
  'http://localhost:9010/api/v1/project/tag/project%3Aeurope-north1-docker.pkg.dev%2Fmy-p?pageNumber=1&pageSize=100' \
  -H 'accept: application/json' \
  -H 'X-Api-Key: my-key'

Expected Behavior

Return all projects with that tag.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15

Browser

Other

Checklist
@ybelMekk ybelMekk added defect Something isn't working in triage labels Oct 10, 2024
@nscuro
Copy link
Member

nscuro commented Oct 10, 2024

Appears to be caused by a behavior change in Jetty: jetty/jetty.project#12162

@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort and removed in triage labels Oct 10, 2024
@nscuro nscuro added this to the 4.12.1 milestone Oct 10, 2024
@nscuro nscuro self-assigned this Oct 10, 2024
@ybelMekk
Copy link
Contributor Author

Thanks for quick feedback @nscuro .

@nscuro
Copy link
Member

nscuro commented Oct 10, 2024

There seem to be ways to make it behave like before, I'll ensure we ship a fix with the next bugfix release.

nscuro added a commit to nscuro/Alpine that referenced this issue Oct 10, 2024
@nscuro
Fix breaking change due to Jetty / Servlet API URI compliance enforce…
4771493 
…ment

Due to a change in Jetty 12 and the Servlet API 6, it is no longer valid to pass URL-encoded values as path parameters. This is problematic for REST APIs such as Dependency-Track's, where this behavior causes endpoints to be unusable with certain parameters: DependencyTrack/dependency-track#4238

Restore the legacy behavior of Jetty 9 for now. For the next major version bump of Alpine, this can be reversed to follow Servlet API 6 more strictly.
@nscuro nscuro mentioned this issue Oct 10, 2024
Merged
nscuro added a commit to nscuro/Alpine that referenced this issue Oct 10, 2024
@nscuro
Fix breaking change due to Jetty / Servlet API URI compliance enforce…
4537e12 
…ment

Due to a change in Jetty 12 and the Servlet API 6, it is no longer valid to pass URL-encoded values as path parameters. This is problematic for REST APIs such as Dependency-Track's, where this behavior causes endpoints to be unusable with certain parameters: DependencyTrack/dependency-track#4238

Restore the legacy behavior of Jetty 9 for now. For the next major version bump of Alpine, this can be reversed to follow Servlet API 6 more strictly.

Signed-off-by: nscuro <[email protected]>
nscuro added a commit to nscuro/dependency-track-frontend that referenced this issue Oct 10, 2024
@nscuro
Fix missing URI encoding of tag names
339f164 
The *tagged projects*, *tagged policies*, and *tagged alerts* dialogs would show an empty list for tags that contain special characters such as `/`.

This was caused by both DependencyTrack/dependency-track#4238, and tag names not being URI-encoded prior to using them as path parameters.

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro mentioned this issue Oct 10, 2024
Merged
1 task
nscuro added a commit to nscuro/dependency-track-frontend that referenced this issue Oct 10, 2024
@nscuro
Fix missing URI encoding of tag names
4fc2033 
The *tagged projects*, *tagged policies*, and *tagged alerts* dialogs would show an empty list for tags that contain special characters such as `/`.

This was caused by both DependencyTrack/dependency-track#4238, and tag names not being URI-encoded prior to using them as path parameters.

Signed-off-by: nscuro <[email protected]>
@janweinkauff
Copy link

We’re experiencing the same issue and are looking forward to the fix. 🚀

@nscuro
Copy link
Member

nscuro commented Oct 22, 2024

Just waiting for an Alpine release so we can pull the fix in. Will release v4.12.1 immediately afterwards, it's ready otherwise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nscuro nscuro

Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.12.1
Development

No branches or pull requests
3 participants
@janweinkauff @nscuro @ybelMekk