fix(api): address Copilot review feedback and add test coverage

tim48-robot · tim48-robot · commit 175de37db99e · 2026-02-05T10:23:37.000+07:00
- Use ObjectMapper for proper JSON escaping (prevents injection)
- Reuse ErrorResponse class for consistency with GlobalExceptionHandler
- Check response.isCommitted() before writing error response
- Catch IOException specifically instead of broad Exception
- Fix log message typo (clinicalDataBinCountFilter -&gt; clinicalDataCountFilter)
- Add comprehensive unit tests for error handling scenarios
diff --git a/src/main/java/org/cbioportal/legacy/web/util/InvolvedCancerStudyExtractorInterceptor.java b/src/main/java/org/cbioportal/legacy/web/util/InvolvedCancerStudyExtractorInterceptor.java
@@ -35,6 +35,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -43,6 +44,7 @@
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
+import org.cbioportal.application.rest.error.ErrorResponse;
 import org.cbioportal.legacy.model.AlterationFilter;
 import org.cbioportal.legacy.model.MolecularProfile;
 import org.cbioportal.legacy.model.MolecularProfileCaseIdentifier;
@@ -165,24 +167,29 @@ public class InvolvedCancerStudyExtractorInterceptor implements HandlerIntercept
    * @param message the error message to include in the response body
    */
   private void sendBadRequestResponse(HttpServletResponse response, String message) {
-    try {
-      response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
-      response.setContentType("application/json");
-      response.setCharacterEncoding("UTF-8");
+    if (response.isCommitted()) {
+      LOG.warn("Cannot send error response - response already committed");
+      return;
+    }
 
+    try {
       // Truncate message before Jackson source location info if present
-      String truncatedMessage = message;
+      String cleanMessage = message;
       int sourceIndex = message.indexOf(" at [Source:");
       if (sourceIndex != -1) {
-        truncatedMessage = message.substring(0, sourceIndex);
+        cleanMessage = message.substring(0, sourceIndex);
       }
 
-      String jsonError =
-          String.format("{\"message\":\"%s\"}", truncatedMessage.replace("\"", "\\\""));
-      response.getWriter().write(jsonError);
+      response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+      response.setContentType("application/json");
+      response.setCharacterEncoding("UTF-8");
+
+      // Use ObjectMapper for proper JSON escaping (matches GlobalExceptionHandler pattern)
+      ErrorResponse errorResponse = new ErrorResponse("Invalid request body: " + cleanMessage);
+      response.getWriter().write(objectMapper.writeValueAsString(errorResponse));
       response.getWriter().flush();
-    } catch (Exception ex) {
-      LOG.error("Failed to send error response: {}", ex.getMessage());
+    } catch (IOException ex) {
+      LOG.error("Failed to write error response: {}", ex.getMessage());
     }
   }
 
@@ -819,7 +826,7 @@ private boolean extractAttributesFromClinicalDataCountFilter(
       }
     } catch (Exception e) {
       LOG.error(
-          "exception thrown during extraction of clinicalDataBinCountFilter: {}", e.getMessage());
+          "exception thrown during extraction of clinicalDataCountFilter: {}", e.getMessage());
       sendBadRequestResponse(response, "Invalid request body: " + e.getMessage());
       return false;
     }
diff --git a/src/test/java/org/cbioportal/legacy/web/util/InvolvedCancerStudyExtractorInterceptorTest.java b/src/test/java/org/cbioportal/legacy/web/util/InvolvedCancerStudyExtractorInterceptorTest.java
@@ -0,0 +1,148 @@
+package org.cbioportal.legacy.web.util;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.*;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.ServletInputStream;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import org.cbioportal.legacy.persistence.cachemaputil.CacheMapUtil;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.mock.web.DelegatingServletInputStream;
+
+@RunWith(MockitoJUnitRunner.class)
+public class InvolvedCancerStudyExtractorInterceptorTest {
+
+  @InjectMocks private InvolvedCancerStudyExtractorInterceptor interceptor;
+
+  @Mock private CacheMapUtil cacheMapUtil;
+
+  @Mock private HttpServletRequest request;
+
+  @Mock private HttpServletResponse response;
+
+  @Spy private ObjectMapper objectMapper = new ObjectMapper();
+
+  private StringWriter responseWriter;
+
+  @Before
+  public void setUp() throws IOException {
+    responseWriter = new StringWriter();
+    when(response.getWriter()).thenReturn(new PrintWriter(responseWriter));
+    when(response.isCommitted()).thenReturn(false);
+    when(cacheMapUtil.hasCacheEnabled()).thenReturn(false);
+  }
+
+  private ServletInputStream createInputStream(String content) {
+    ByteArrayInputStream byteStream =
+        new ByteArrayInputStream(content.getBytes(StandardCharsets.UTF_8));
+    return new DelegatingServletInputStream(byteStream);
+  }
+
+  @Test
+  public void testMalformedJsonReturnsBadRequest() throws Exception {
+    when(request.getMethod()).thenReturn("POST");
+    when(request.getPathInfo()).thenReturn("/api/patients/fetch");
+    when(request.getInputStream()).thenReturn(createInputStream("{'invalid json'}"));
+
+    boolean result = interceptor.preHandle(request, response, null);
+
+    assertFalse("preHandle should return false for malformed JSON", result);
+    verify(response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
+    verify(response).setContentType("application/json");
+    assertTrue(
+        "Response should contain error message",
+        responseWriter.toString().contains("Invalid request body"));
+  }
+
+  @Test
+  public void testEmptyBodyReturnsBadRequest() throws Exception {
+    when(request.getMethod()).thenReturn("POST");
+    when(request.getPathInfo()).thenReturn("/api/samples/fetch");
+    when(request.getInputStream()).thenReturn(createInputStream(""));
+
+    boolean result = interceptor.preHandle(request, response, null);
+
+    assertFalse("preHandle should return false for empty body", result);
+    verify(response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
+  }
+
+  @Test
+  public void testValidJsonPassesThrough() throws Exception {
+    String validJson =
+        "{\"sampleIdentifiers\":[{\"sampleId\":\"sample1\",\"studyId\":\"study1\"}]}";
+    when(request.getMethod()).thenReturn("POST");
+    when(request.getPathInfo()).thenReturn("/api/samples/fetch");
+    when(request.getInputStream()).thenReturn(createInputStream(validJson));
+
+    boolean result = interceptor.preHandle(request, response, null);
+
+    assertTrue("preHandle should return true for valid JSON", result);
+    verify(response, never()).setStatus(HttpServletResponse.SC_BAD_REQUEST);
+  }
+
+  @Test
+  public void testNonPostRequestPassesThrough() throws Exception {
+    when(request.getMethod()).thenReturn("GET");
+
+    boolean result = interceptor.preHandle(request, response, null);
+
+    assertTrue("preHandle should return true for GET requests", result);
+    verify(response, never()).setStatus(anyInt());
+  }
+
+  @Test
+  public void testMessageTruncationRemovesJacksonDetails() throws Exception {
+    when(request.getMethod()).thenReturn("POST");
+    when(request.getPathInfo()).thenReturn("/api/patients/fetch");
+    when(request.getInputStream()).thenReturn(createInputStream("{bad}"));
+
+    interceptor.preHandle(request, response, null);
+
+    String responseBody = responseWriter.toString();
+    assertFalse(
+        "Response should not contain Jackson source details", responseBody.contains("at [Source:"));
+  }
+
+  @Test
+  public void testJsonEscapingForSpecialCharacters() throws Exception {
+    // This tests that ObjectMapper properly escapes special characters
+    when(request.getMethod()).thenReturn("POST");
+    when(request.getPathInfo()).thenReturn("/api/patients/fetch");
+    // JSON with unmatched quote that would cause parsing error with special chars in message
+    when(request.getInputStream()).thenReturn(createInputStream("{\"field\": \"value with \\n}"));
+
+    interceptor.preHandle(request, response, null);
+
+    String responseBody = responseWriter.toString();
+    // Verify it's valid JSON (ObjectMapper would produce valid JSON)
+    assertTrue("Response should be valid JSON", responseBody.startsWith("{\"message\":"));
+    assertTrue("Response should end properly", responseBody.endsWith("}"));
+  }
+
+  @Test
+  public void testCommittedResponseDoesNotWrite() throws Exception {
+    when(request.getMethod()).thenReturn("POST");
+    when(request.getPathInfo()).thenReturn("/api/patients/fetch");
+    when(request.getInputStream()).thenReturn(createInputStream("invalid"));
+    when(response.isCommitted()).thenReturn(true);
+
+    interceptor.preHandle(request, response, null);
+
+    verify(response, never()).setStatus(anyInt());
+    verify(response, never()).getWriter();
+  }
+}
