Filter out invalid HTTP method in the error message of no handler fou…

…nd for a REST request Signed-off-by: Tianli Feng <ftianli@amazon.com>
opensearch-project · Jun 1, 2022 · 863e272 · 863e272
1 parent 34f1b8f
commit 863e272
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/server/src/main/java/org/opensearch/rest/RestController.java b/server/src/main/java/org/opensearch/rest/RestController.java
@@ -448,7 +448,9 @@ private void handleUnsupportedHttpMethod(
                 msg.append("Incorrect HTTP method for uri [").append(uri);
                 msg.append("] and method [").append(method).append("]");
             } else {
-                msg.append(exception.getMessage());
+                // Not using the error message directly from 'exception.getMessage()' to avoid unescaped HTML special characters,
+                // in case false-positive cross site scripting vulnerability is detected by common security scanners.
+                msg.append("Unexpected http method");
             }
             if (validMethodSet.isEmpty() == false) {
                 msg.append(", allowed: ").append(validMethodSet);

diff --git a/server/src/test/java/org/opensearch/rest/RestControllerTests.java b/server/src/test/java/org/opensearch/rest/RestControllerTests.java
@@ -632,6 +632,7 @@ public Exception getInboundException() {
         assertTrue(channel.getSendResponseCalled());
         assertThat(channel.getRestResponse().getHeaders().containsKey("Allow"), equalTo(true));
         assertThat(channel.getRestResponse().getHeaders().get("Allow"), hasItem(equalTo(RestRequest.Method.GET.toString())));
+        assertThat(channel.getRestResponse().content().utf8ToString(), containsString("Unexpected http method"));
     }
 
     private static final class TestHttpServerTransport extends AbstractLifecycleComponent implements HttpServerTransport {