DMP-3682 Error messages disclosure (#3083)

stephenokeefe · web-flow · commit 30e1781a82c1 · 2025-10-07T16:41:08.000+01:00
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerSearchPostTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerSearchPostTest.java
@@ -1,5 +1,6 @@
 package uk.gov.hmcts.darts.cases.controller;
 
+import lombok.extern.slf4j.Slf4j;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.skyscreamer.jsonassert.JSONCompareMode;
@@ -48,6 +49,7 @@
 import static uk.gov.hmcts.darts.test.common.data.SecurityGroupTestData.createGroupForRole;
 import static uk.gov.hmcts.darts.testutils.stubs.UserAccountStub.INTEGRATION_TEST_USER_EMAIL;
 
+@Slf4j
 @AutoConfigureMockMvc
 class CaseControllerSearchPostTest extends IntegrationBase {
 
@@ -539,6 +541,37 @@ void casesSearchPost_shouldReturn400_whenCourtroomIsLowercase() throws Exception
             .andExpect(status().isBadRequest());
     }
 
+    @Test
+    void casesSearchPost_shouldReturn400_whenUnknownField() throws Exception {
+        setupUserAndSecurityGroupForCourthouses(List.of(swanseaCourthouse));
+        String requestBody = """
+            {
+              "courtroom": "1",
+              "date_from": "2023-05-19",
+              "date_to": "2023-05-20",
+              "test": "test unknown field"
+            }""";
+
+        String expectedResponse = """
+            {
+              "status": 400,
+              "title": "Bad Request",
+              "detail": "JSON parse error"
+            }
+            """;
+
+        MockHttpServletRequestBuilder requestBuilder = post("/cases/search")
+            .contentType(MediaType.APPLICATION_JSON_VALUE)
+            .content(requestBody);
+
+        var result = mockMvc.perform(requestBuilder)
+            .andExpect(status().isBadRequest())
+            .andReturn();
+
+        String actualResponse = result.getResponse().getContentAsString();
+        assertEquals(expectedResponse, actualResponse, JSONCompareMode.NON_EXTENSIBLE);
+    }
+
     @Test
     void casesSearchPost_shouldReturn400_whenEventTextLengthIs2() throws Exception {
         user = dartsDatabase.getUserAccountStub().getIntegrationTestUserAccountEntity();
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/common/exception/GlobalExceptionHandlerTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/common/exception/GlobalExceptionHandlerTest.java
@@ -11,20 +11,21 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.http.converter.HttpMessageNotReadableException;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
-import uk.gov.hmcts.darts.common.exception.ExceptionHandlerTest.MockController;
+import uk.gov.hmcts.darts.common.exception.GlobalExceptionHandlerTest.MockController;
 import uk.gov.hmcts.darts.testutils.IntegrationBase;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @AutoConfigureMockMvc
 @Import(MockController.class)
-class ExceptionHandlerTest extends IntegrationBase {
+class GlobalExceptionHandlerTest extends IntegrationBase {
 
     private static final String ENDPOINT = "/test";
 
@@ -133,4 +134,26 @@ void shouldReturnAGenericRfc7807ResponseWhenARuntimeExceptionIsThrown() throws E
         JSONAssert.assertEquals(expectedResponseBody, actualResponseBody, JSONCompareMode.NON_EXTENSIBLE);
     }
 
+    @Test
+    void handleMessageNotReadableHandler_shouldReturnBadRequestProblem_whenHttpMessageNotReadableExceptionIsThrown() throws Exception {
+        Mockito.when(mockController.test())
+            .thenThrow(new HttpMessageNotReadableException("JSON parse error"));
+
+        MvcResult response = mockMvc.perform(get(ENDPOINT))
+            .andExpect(status().isBadRequest())
+            .andReturn();
+
+        String actualResponseBody = response.getResponse().getContentAsString();
+
+        String expectedResponseBody = """
+            {
+                "detail":"JSON parse error",
+                "title":"Bad Request",
+                "status":400
+            }
+            """;
+
+        JSONAssert.assertEquals(expectedResponseBody, actualResponseBody, JSONCompareMode.NON_EXTENSIBLE);
+    }
+
 }
diff --git a/src/main/java/uk/gov/hmcts/darts/common/exception/ExceptionHandler.java b/src/main/java/uk/gov/hmcts/darts/common/exception/ExceptionHandler.java
diff --git a/src/main/java/uk/gov/hmcts/darts/common/exception/GlobalExceptionHandler.java b/src/main/java/uk/gov/hmcts/darts/common/exception/GlobalExceptionHandler.java
@@ -0,0 +1,32 @@
+package uk.gov.hmcts.darts.common.exception;
+
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.context.request.NativeWebRequest;
+import org.zalando.problem.Problem;
+import org.zalando.problem.spring.common.HttpStatusAdapter;
+import org.zalando.problem.spring.web.advice.ProblemHandling;
+
+
+@ControllerAdvice
+@EnableAutoConfiguration(exclude = ErrorMvcAutoConfiguration.class)
+public class GlobalExceptionHandler implements ProblemHandling, DartsApiTrait, ErrorResponseAdviceTrait {
+
+    // Override the default HttpMessageNotReadableException as this reveals class names in the exception message (DMP-3682)
+    @Override
+    @ExceptionHandler(HttpMessageNotReadableException.class)
+    public ResponseEntity<Problem> handleMessageNotReadableException(HttpMessageNotReadableException exception,
+                                                                     NativeWebRequest request) {
+        Problem problem = Problem.builder()
+            .withTitle("Bad Request")
+            .withStatus(new HttpStatusAdapter(HttpStatus.BAD_REQUEST))
+            .withDetail("JSON parse error")
+            .build();
+        return create(exception, problem, request);
+    }
+}
