You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In most cases of custom error messages, we have successfully been using an implementation of DataFetcherExceptionHandler. In the case that an ANTLR parsing error, it's another story. I haven't found a way to catch such errors so that I can remove the offending payload from the error message. The offending payload being included in the error message is considered a XSS vulnerability by several security scanners.
Example payloads and responses:
Request 1:
{"query":""'>\n}\n"} Response 1:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '"'>\n'' at
line 1 column 1","locations":
[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
} Request 2:
{"query":""'><<SCRIPT a=2>qssShh9GoCl=7;//<</SCRIPT>\n}\n"} Response 2:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '"'><<SCRIPT a=2>qssShh9GoCl=7;//<</
SCRIPT>\n'' at line 1 column 1","locations":
[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
} Request 3:
{"query":"query {\n myCustomQuery"'>\n}\n"} Response 3:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '"'>\n'' at line 2 column
42","locations":[{"line":2,"column":42}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
} Request 4:
{"query":"">\n}\n"} Response 4:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '">\n'' at line 1 column
1","locations":[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
} Request 5:
{"query":""'><qssLxzqmW69 ;!--=&{()}>\n}\n"} **Response 5:** {"errors":[{"message":"Invalid syntax with ANTLR error 'token recognition error at: '\"'><qssLxzqmW69 ;!--=&{()}>\n'' at
line 1 column 1","locations":
[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
}
Most of the time I want error messages with specifics. However, in the case that bad characters are provided is there a way we can sanitize or HTML encode the error message? These types of messages never make it down to DataFetcherExceptionHandler or WebGraphQlInterceptor. Any possible solutions would be much appreciated.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
In most cases of custom error messages, we have successfully been using an implementation of DataFetcherExceptionHandler. In the case that an ANTLR parsing error, it's another story. I haven't found a way to catch such errors so that I can remove the offending payload from the error message. The offending payload being included in the error message is considered a XSS vulnerability by several security scanners.
Example payloads and responses:
Request 1:
{"query":""'>\n}\n"}
Response 1:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '"'>\n'' at
line 1 column 1","locations":
[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
}
Request 2:
{"query":""'><<SCRIPT a=2>qssShh9GoCl=7;//<</SCRIPT>\n}\n"}
Response 2:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '"'><<SCRIPT a=2>qssShh9GoCl=7;//<</
SCRIPT>\n'' at line 1 column 1","locations":
[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
}
Request 3:
{"query":"query {\n myCustomQuery"'>\n}\n"}
Response 3:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '"'>\n'' at line 2 column
42","locations":[{"line":2,"column":42}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
}
Request 4:
{"query":"">\n}\n"}
Response 4:
{"errors":[{"message":"Invalid syntax with ANTLR error 'token
recognition error at: '">\n'' at line 1 column
1","locations":[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
}
Request 5:
{"query":""'><qssLxzqmW69
;!--=&{()}>\n}\n"} **Response 5:** {"errors":[{"message":"Invalid syntax with ANTLR error 'token recognition error at: '\"'><qssLxzqmW69;!--=&{()}>\n'' atline 1 column 1","locations":
[{"line":1,"column":1}],"extensions":
{"classification":"InvalidSyntax","errorType":"BAD_REQUEST"}}]
}
Most of the time I want error messages with specifics. However, in the case that bad characters are provided is there a way we can sanitize or HTML encode the error message? These types of messages never make it down to DataFetcherExceptionHandler or WebGraphQlInterceptor. Any possible solutions would be much appreciated.
Beta Was this translation helpful? Give feedback.
All reactions