java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>

Atlassian JIRA | Jaime Silveira [Atlassian] | 2 years ago
  1. 0

    In some pages, Bamboo shows the authors of commits, even if they're not local users. If their not associated with a user, they are shown like this: !branch_author.png|thumbnail! We can see if follows this patterns: Display name <user@domain.com> When clicking this user, we get this 'Internal Server Error Page': !error_page.png|thumbnail! The following stacktrace is shown: {noformat} java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com> at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157) at com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145) at com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53) at com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) {noformat} Since it says it's a 'Dangerous string detected', it seems that the URL is the problem. The accessed URL is as follows: {noformat} https://instance.atlassian.net/builds/browse/author/Display%20Name%20<user@domain.com> {noformat} We can see that the URL contains the '<' and '>' characters. Maybe these are badly interpreted by Bamboo. *Steps to Reproduce* # Have a plan connected to a repository in Bamboo # Commit to the repository with a user that doesn't exist in Bamboo (and not associated with any), the plan will run a build # This user will appear in may pages in Bamboo as the commit author (it will have a '<' and '>' in its name), you can find it in the build page under 'Commits' for example. Once found, click it *Expected Behavior* * Either some information about the user is shown or a message saying it doesn't exist in Bamboo *Actual Behavior* * An Internal Server Error Page is shown

    Atlassian JIRA | 2 years ago | Jaime Silveira [Atlassian]
    java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>
  2. 0

    In some pages, Bamboo shows the authors of commits, even if they're not local users. If their not associated with a user, they are shown like this: !branch_author.png|thumbnail! We can see if follows this patterns: Display name <user@domain.com> When clicking this user, we get this 'Internal Server Error Page': !error_page.png|thumbnail! The following stacktrace is shown: {noformat} java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com> at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157) at com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145) at com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53) at com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) {noformat} Since it says it's a 'Dangerous string detected', it seems that the URL is the problem. The accessed URL is as follows: {noformat} https://instance.atlassian.net/builds/browse/author/Display%20Name%20<user@domain.com> {noformat} We can see that the URL contains the '<' and '>' characters. Maybe these are badly interpreted by Bamboo. *Steps to Reproduce* # Have a plan connected to a repository in Bamboo # Commit to the repository with a user that doesn't exist in Bamboo (and not associated with any), the plan will run a build # This user will appear in may pages in Bamboo as the commit author (it will have a '<' and '>' in its name), you can find it in the build page under 'Commits' for example. Once found, click it *Expected Behavior* * Either some information about the user is shown or a message saying it doesn't exist in Bamboo *Actual Behavior* * An Internal Server Error Page is shown

    Atlassian JIRA | 2 years ago | Jaime Silveira [Atlassian]
    java.lang.IllegalArgumentException: Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>
  3. 0
    samebug tip
    Some bots are sending malformed HTTP requests to your site. Try to find their IP addresses in the access logs and ask them to fix the bots or blacklist them.
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0
    samebug tip
    This error is caused by malformed HTTP request. You are trying to access unsecured page through https.

    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. java.lang.IllegalArgumentException

      Dangerous string detected: /builds//authors/viewAuthor.action?authorName=unknown <user@domain.com>

      at com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss()
    2. com.atlassian.bamboo
      RequestCacheThreadLocalFilter.doFilter
      1. com.atlassian.bamboo.util.RequestCacheThreadLocal.assertNoXss(RequestCacheThreadLocal.java:157)
      2. com.atlassian.bamboo.util.RequestCacheThreadLocal.putHttpRequest(RequestCacheThreadLocal.java:145)
      3. com.atlassian.bamboo.util.RequestCacheThreadLocal.setRequestCache(RequestCacheThreadLocal.java:53)
      4. com.atlassian.bamboo.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31)
      4 frames
    3. Glassfish Core
      ApplicationFilterChain.doFilter
      1. org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      2. org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      2 frames
    4. com.atlassian.core
      HeaderSanitisingFilter.doFilter
      1. com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:32)
      1 frame
    5. Glassfish Core
      ApplicationFilterChain.doFilter
      1. org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      2. org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      2 frames
    6. com.atlassian.plugin
      DelegatingPluginFilter$1.doFilter
      1. com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
      2. com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70)
      2 frames