You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 21, 2025. It is now read-only.
Internal server - in this case a null pointer - shouldn't be shared outside the server. Though no information leakage seems to be possible at the moment, this should be fixed for the future.
Reproduction Steps
Note the back quote supplied for the jurisdictionType field as an invalid parameter. This should be rejected as invalid.
Beyond that, the more important fix is that any error like, e.g. Null-Pointer-Exception, shouldn't share the stack trace. We should make this optional though, so it could be shared on the development machines and maybe on the hacking server to be helpful for hackers.
curl -i \
-H 'Content-Type: application/json' \
-H 'Who-Client-ID: 00000000-0000-0000-0000-000000000000' \
-H 'Who-Platform: WEB' \
-X POST 'https://staging.whocoronavirus.org/WhoService/getCaseStats' \
-d '{ "jurisdictions": [ { "jurisdictionType": "`"} ] }'
HTTP/2 500
content-type: text/html;charset=utf-8
x-cloud-trace-context: f49bfc0c69eba3b36e1eb6babc64e3ca;o=1
date: Tue, 22 Dec 2020 19:13:22 GMT
server: Google Frontend
content-length: 8916
via: 1.1 google
alt-svc: clear
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>500 java.lang.NullPointerException
at who.StoredCaseStats.load(StoredCaseStats.java:101)
at who.WhoServiceImpl.getCaseStats(WhoServiceImpl.java:117)
at sun.reflect.GeneratedMethodAccessor18.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at present.rpc.RpcInvocation$2.proceed(RpcInvocation.java:98)
at present.rpc.RpcInterceptorChain$ChainedInvocation.proceed(RpcInterceptorChain.java:43)
at present.rpc.RpcInterceptorChain$ChainedInvocation.proceed(RpcInterceptorChain.java:43)
...
Expected Behavior
That if this error occurs, no stack trace is given
That this causes a 400 bad argument response
Checklist:
Searched the existing issues to ensure you are not creating a duplicate.
Summary
Internal server - in this case a null pointer - shouldn't be shared outside the server. Though no information leakage seems to be possible at the moment, this should be fixed for the future.
Reproduction Steps
Note the back quote supplied for the
jurisdictionTypefield as an invalid parameter. This should be rejected as invalid.Beyond that, the more important fix is that any error like, e.g. Null-Pointer-Exception, shouldn't share the stack trace. We should make this optional though, so it could be shared on the development machines and maybe on the hacking server to be helpful for hackers.
Expected Behavior
Checklist: