Removed untrusted data from exception messages in case they end up on the webpage

AuroraLS3 · AuroraLS3 · commit 9e11d9f4846a · 2023-01-15T10:04:10.000+02:00
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/NetworkPageExporter.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/NetworkPageExporter.java
@@ -24,7 +24,7 @@
 import com.djrapitops.plan.delivery.web.resolver.request.Request;
 import com.djrapitops.plan.delivery.web.resource.WebResource;
 import com.djrapitops.plan.delivery.webserver.resolver.json.RootJSONResolver;
-import com.djrapitops.plan.exceptions.connection.WebException;
+import com.djrapitops.plan.exceptions.WebUserAuthException;
 import com.djrapitops.plan.identification.Server;
 import com.djrapitops.plan.settings.config.PlanConfig;
 import com.djrapitops.plan.settings.config.paths.PluginSettings;
@@ -200,7 +200,7 @@ private String toJSONResourceName(String resource) {
     private Optional<Response> getJSONResponse(String resource) {
         try {
             return jsonHandler.getResolver().resolve(new Request("GET", "/v1/" + resource, null, Collections.emptyMap()));
-        } catch (WebException e) {
+        } catch (WebUserAuthException e) {
             // The rest of the exceptions should not be thrown
             throw new IllegalStateException("Unexpected exception thrown: " + e, e);
         }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/PlayerPageExporter.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/PlayerPageExporter.java
@@ -24,7 +24,7 @@
 import com.djrapitops.plan.delivery.web.resolver.request.Request;
 import com.djrapitops.plan.delivery.web.resource.WebResource;
 import com.djrapitops.plan.delivery.webserver.resolver.json.RootJSONResolver;
-import com.djrapitops.plan.exceptions.connection.WebException;
+import com.djrapitops.plan.exceptions.WebUserAuthException;
 import com.djrapitops.plan.settings.config.PlanConfig;
 import com.djrapitops.plan.settings.config.paths.PluginSettings;
 import com.djrapitops.plan.settings.theme.Theme;
@@ -153,7 +153,7 @@ private String toJSONResourceName(String resource) {
     private Optional<Response> getJSONResponse(String resource) {
         try {
             return jsonHandler.getResolver().resolve(new Request("GET", "/v1/" + resource, null, Collections.emptyMap()));
-        } catch (WebException e) {
+        } catch (WebUserAuthException e) {
             // The rest of the exceptions should not be thrown
             throw new IllegalStateException("Unexpected exception thrown: " + e, e);
         }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/PlayersPageExporter.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/PlayersPageExporter.java
@@ -24,7 +24,7 @@
 import com.djrapitops.plan.delivery.web.resolver.request.Request;
 import com.djrapitops.plan.delivery.web.resource.WebResource;
 import com.djrapitops.plan.delivery.webserver.resolver.json.RootJSONResolver;
-import com.djrapitops.plan.exceptions.connection.WebException;
+import com.djrapitops.plan.exceptions.WebUserAuthException;
 import com.djrapitops.plan.identification.ServerInfo;
 import com.djrapitops.plan.settings.config.PlanConfig;
 import com.djrapitops.plan.settings.config.paths.PluginSettings;
@@ -142,7 +142,7 @@ private String toJSONResourceName(String resource) {
     private Optional<Response> getJSONResponse(String resource) {
         try {
             return jsonHandler.getResolver().resolve(new Request("GET", "/v1/" + resource, null, Collections.emptyMap()));
-        } catch (WebException e) {
+        } catch (WebUserAuthException e) {
             // The rest of the exceptions should not be thrown
             throw new IllegalStateException("Unexpected exception thrown: " + e.toString(), e);
         }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/ReactExporter.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/ReactExporter.java
@@ -20,7 +20,7 @@
 import com.djrapitops.plan.delivery.web.resolver.Response;
 import com.djrapitops.plan.delivery.web.resolver.request.Request;
 import com.djrapitops.plan.delivery.webserver.resolver.json.RootJSONResolver;
-import com.djrapitops.plan.exceptions.connection.WebException;
+import com.djrapitops.plan.exceptions.WebUserAuthException;
 import com.djrapitops.plan.settings.config.PlanConfig;
 import com.djrapitops.plan.settings.config.paths.WebserverSettings;
 import com.djrapitops.plan.settings.locale.LangCode;
@@ -179,7 +179,7 @@ private String toJsonResourceName(String resource) {
     private Optional<Response> getJsonResponse(String resource) {
         try {
             return jsonHandler.getResolver().resolve(new Request("GET", "/v1/" + resource, null, Collections.emptyMap()));
-        } catch (WebException e) {
+        } catch (WebUserAuthException e) {
             // The rest of the exceptions should not be thrown
             throw new IllegalStateException("Unexpected exception thrown: " + e, e);
         }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/ServerPageExporter.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/export/ServerPageExporter.java
@@ -24,7 +24,7 @@
 import com.djrapitops.plan.delivery.web.resolver.request.Request;
 import com.djrapitops.plan.delivery.web.resource.WebResource;
 import com.djrapitops.plan.delivery.webserver.resolver.json.RootJSONResolver;
-import com.djrapitops.plan.exceptions.connection.WebException;
+import com.djrapitops.plan.exceptions.WebUserAuthException;
 import com.djrapitops.plan.identification.Server;
 import com.djrapitops.plan.identification.ServerInfo;
 import com.djrapitops.plan.identification.ServerUUID;
@@ -224,7 +224,7 @@ private String toJSONResourceName(String resource) {
     private Optional<Response> getJSONResponse(String resource) {
         try {
             return jsonHandler.getResolver().resolve(new Request("GET", "/v1/" + resource, null, Collections.emptyMap()));
-        } catch (WebException e) {
+        } catch (WebUserAuthException e) {
             // The rest of the exceptions should not be thrown
             throw new IllegalStateException("Unexpected exception thrown: " + e, e);
         }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/rendering/pages/InternalErrorPage.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/rendering/pages/InternalErrorPage.java
@@ -42,7 +42,7 @@ public class InternalErrorPage implements Page {
     private final VersionChecker versionChecker;
 
     public InternalErrorPage(
-            String template, String errorMsg, Throwable error,
+            String template, String errorMsg, @Untrusted Throwable error,
             VersionChecker versionChecker
     ) {
         this.template = template;
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/rendering/pages/PageFactory.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/rendering/pages/PageFactory.java
@@ -38,6 +38,7 @@
 import com.djrapitops.plan.storage.database.queries.containers.ContainerFetchQueries;
 import com.djrapitops.plan.storage.database.queries.objects.ServerQueries;
 import com.djrapitops.plan.storage.file.PlanFiles;
+import com.djrapitops.plan.utilities.dev.Untrusted;
 import com.djrapitops.plan.version.VersionChecker;
 import dagger.Lazy;
 import org.apache.commons.lang3.StringUtils;
@@ -219,7 +220,7 @@ public Page networkPage() throws IOException {
         );
     }
 
-    public Page internalErrorPage(String message, Throwable error) {
+    public Page internalErrorPage(String message, @Untrusted Throwable error) {
         try {
             return new InternalErrorPage(
                     getResource("error.html"), message, error,
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/ResponseFactory.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/ResponseFactory.java
@@ -96,7 +96,7 @@ private Response forPage(Page page) {
                 .build();
     }
 
-    private Response forInternalError(Throwable error, String cause) {
+    private Response forInternalError(@Untrusted Throwable error, String cause) {
         return Response.builder()
                 .setMimeType(MimeType.HTML)
                 .setContent(pageFactory.internalErrorPage(cause, error).toHtml())
@@ -171,7 +171,7 @@ public Response rawPlayerPageResponse(UUID playerUUID) {
                 .build();
     }
 
-    public Response javaScriptResponse(String fileName) {
+    public Response javaScriptResponse(@Untrusted String fileName) {
         try {
             String content = UnaryChain.of(getResource(fileName).asString())
                     .chain(this::replaceMainAddressPlaceholder)
@@ -189,7 +189,7 @@ public Response javaScriptResponse(String fileName) {
                     .setStatus(200)
                     .build();
         } catch (UncheckedIOException e) {
-            return notFound404("JS File not found from jar: " + fileName + ", " + e);
+            return notFound404("Javascript File not found");
         }
     }
 
@@ -217,23 +217,23 @@ public Response cssResponse(@Untrusted String fileName) {
                     .setStatus(200)
                     .build();
         } catch (UncheckedIOException e) {
-            return notFound404("CSS File not found from jar: " + fileName + ", " + e);
+            return notFound404("CSS File not found");
         }
     }
 
-    public Response imageResponse(String fileName) {
+    public Response imageResponse(@Untrusted String fileName) {
         try {
             return Response.builder()
                     .setMimeType(MimeType.IMAGE)
                     .setContent(getResource(fileName))
                     .setStatus(200)
                     .build();
         } catch (UncheckedIOException e) {
-            return notFound404("Image File not found from jar: " + fileName + ", " + e);
+            return notFound404("Image File not found");
         }
     }
 
-    public Response fontResponse(String fileName) {
+    public Response fontResponse(@Untrusted String fileName) {
         String type;
         if (fileName.endsWith(".woff")) {
             type = MimeType.FONT_WOFF;
@@ -252,7 +252,7 @@ public Response fontResponse(String fileName) {
                     .setContent(getResource(fileName))
                     .build();
         } catch (UncheckedIOException e) {
-            return notFound404("Font File not found from jar: " + fileName + ", " + e);
+            return notFound404("Font File not found");
         }
     }
 
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/ResponseResolver.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/ResponseResolver.java
@@ -33,7 +33,6 @@
 import com.djrapitops.plan.delivery.webserver.resolver.swagger.SwaggerJsonResolver;
 import com.djrapitops.plan.delivery.webserver.resolver.swagger.SwaggerPageResolver;
 import com.djrapitops.plan.exceptions.WebUserAuthException;
-import com.djrapitops.plan.exceptions.connection.ForbiddenException;
 import com.djrapitops.plan.utilities.dev.Untrusted;
 import com.djrapitops.plan.utilities.logging.ErrorContext;
 import com.djrapitops.plan.utilities.logging.ErrorLogger;
@@ -173,8 +172,6 @@ public Response getResponse(@Untrusted Request request) {
             return tryToGetResponse(request);
         } catch (NotFoundException e) {
             return responseFactory.notFound404(e.getMessage());
-        } catch (ForbiddenException e) {
-            return responseFactory.forbidden403(e.getMessage());
         } catch (BadRequestException e) {
             return responseFactory.badRequest(e.getMessage(), request.getPath().asString());
         } catch (WebUserAuthException e) {
@@ -187,7 +184,6 @@ public Response getResponse(@Untrusted Request request) {
 
     /**
      * @throws NotFoundException   In some cases when page was not found, not all.
-     * @throws ForbiddenException  If the user is not allowed to see the page
      * @throws BadRequestException If the request did not have required things.
      */
     private Response tryToGetResponse(@Untrusted Request request) {
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/json/QueryJSONResolver.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/json/QueryJSONResolver.java
@@ -164,7 +164,7 @@ private InputQueryDto parseInputQueryFromQueryParams(@Untrusted Request request)
                     .orElseThrow(() -> new BadRequestException("'view' parameter not set (expecting json object {afterDate, afterTime, beforeDate, beforeTime})"));
             return new InputQueryDto(view, queryFilters);
         } catch (IOException e) {
-            throw new BadRequestException("Failed to decode json: '" + q + "', " + e.getMessage());
+            throw new BadRequestException("Failed to decode json");
         }
     }
 
@@ -202,7 +202,7 @@ private Response buildAndStoreResponse(InputQueryDto input, Filter.Result result
                     .setJSONContent(stored.json)
                     .build();
         } catch (ParseException e) {
-            throw new BadRequestException("'view' date format was incorrect (expecting afterDate dd/mm/yyyy, afterTime hh:mm, beforeDate dd/mm/yyyy, beforeTime hh:mm}): " + e.getMessage());
+            throw new BadRequestException("'view' date format was incorrect (expecting afterDate dd/mm/yyyy, afterTime hh:mm, beforeDate dd/mm/yyyy, beforeTime hh:mm})");
         }
     }
 
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/json/ServerIdentityJSONResolver.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/json/ServerIdentityJSONResolver.java
@@ -79,7 +79,7 @@ public Optional<Response> resolve(Request request) {
         @Untrusted String serverIdentifier = request.getQuery().get("server")
                 .orElseThrow(() -> new BadRequestException("Missing 'server' query parameter"));
         ServerDto server = jsonFactory.serverForIdentifier(serverIdentifier)
-                .orElseThrow(() -> new NotFoundException("Server with identifier '" + serverIdentifier + "' was not found in the database"));
+                .orElseThrow(() -> new NotFoundException("Server with given identifier was not found in the database"));
         return Optional.of(Response.builder()
                 .setJSONContent(server)
                 .build());
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/exceptions/MissingPipelineException.java b/Plan/common/src/main/java/com/djrapitops/plan/exceptions/MissingPipelineException.java
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/exceptions/WebUserAuthException.java b/Plan/common/src/main/java/com/djrapitops/plan/exceptions/WebUserAuthException.java
@@ -17,14 +17,13 @@
 package com.djrapitops.plan.exceptions;
 
 import com.djrapitops.plan.delivery.webserver.auth.FailReason;
-import com.djrapitops.plan.exceptions.connection.WebException;
 
 /**
  * Thrown when WebUser can not be authorized (WebServer).
  *
  * @author AuroraLS3
  */
-public class WebUserAuthException extends WebException {
+public class WebUserAuthException extends IllegalStateException {
 
     private final FailReason failReason;
 
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/exceptions/connection/ForbiddenException.java b/Plan/common/src/main/java/com/djrapitops/plan/exceptions/connection/ForbiddenException.java
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/exceptions/connection/WebException.java b/Plan/common/src/main/java/com/djrapitops/plan/exceptions/connection/WebException.java
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/identification/Identifiers.java b/Plan/common/src/main/java/com/djrapitops/plan/identification/Identifiers.java
@@ -74,8 +74,8 @@ public static Optional<Long> getTimestamp(@Untrusted Request request) {
                 return Optional.empty();
             }
             return Optional.of(timestamp);
-        } catch (NumberFormatException nonNumberTimestamp) {
-            throw new BadRequestException("'timestamp' was not a number: " + nonNumberTimestamp.getMessage());
+        } catch (@Untrusted NumberFormatException nonNumberTimestamp) {
+            throw new BadRequestException("'timestamp' was not a number");
         }
     }
 
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/filter/QueryFilters.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/filter/QueryFilters.java
@@ -96,7 +96,7 @@ public Filter.Result apply(@Untrusted List<InputFilterDto> filterQueries) {
 
     private Filter.Result apply(Filter.Result current, @Untrusted InputFilterDto inputFilterDto) {
         @Untrusted String kind = inputFilterDto.getKind();
-        Filter filter = getFilter(kind).orElseThrow(() -> new BadRequestException("Filter kind not supported: '" + kind + "'"));
+        Filter filter = getFilter(kind).orElseThrow(() -> new BadRequestException("Given Filter 'kind' not supported"));
 
         return getResult(current, filter, inputFilterDto);
     }
@@ -106,8 +106,7 @@ private Filter.Result getResult(Filter.Result current, Filter filter, @Untrusted
             return current == null ? filter.apply(query) : current.apply(filter, query);
         } catch (IllegalArgumentException badOptions) {
             throw new BadRequestException("Bad parameters for filter '" + filter.getKind() +
-                    "': expecting " + Arrays.asList(filter.getExpectedParameters()) +
-                    ", but was given " + query.getSetParameters());
+                    "': expecting " + Arrays.asList(filter.getExpectedParameters()) + " as parameters");
         }
     }
 
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/filter/filters/DateRangeFilter.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/filter/filters/DateRangeFilter.java
@@ -76,8 +76,8 @@ private long getTime(@Untrusted InputFilterDto query, String dateKey, String tim
 
         try {
             return dateFormat.parse(date + ' ' + time).getTime();
-        } catch (ParseException e) {
-            throw new IllegalArgumentException(e);
+        } catch (@Untrusted ParseException e) {
+            throw new IllegalArgumentException("Could not parse date from given '" + dateKey + "' and '" + timeKey + "' - expected format dd/MM/yyyy and kk:mm");
         }
     }
 }
diff --git a/Plan/common/src/test/java/com/djrapitops/plan/delivery/webserver/HttpsServerTest.java b/Plan/common/src/test/java/com/djrapitops/plan/delivery/webserver/HttpsServerTest.java

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ private Response forPage(Page page) {`
`96`	`96`	`.build();`
`97`	`97`	`}`
`98`	`98`
`99`		`- private Response forInternalError(Throwable error, String cause) {`
	`99`	`+ private Response forInternalError(@Untrusted Throwable error, String cause) {`
`100`	`100`	`return Response.builder()`
`101`	`101`	`.setMimeType(MimeType.HTML)`
`102`	`102`	`.setContent(pageFactory.internalErrorPage(cause, error).toHtml())`
`@@ -171,7 +171,7 @@ public Response rawPlayerPageResponse(UUID playerUUID) {`
`171`	`171`	`.build();`
`172`	`172`	`}`
`173`	`173`
`174`		`- public Response javaScriptResponse(String fileName) {`
	`174`	`+ public Response javaScriptResponse(@Untrusted String fileName) {`
`175`	`175`	`try {`
`176`	`176`	`String content = UnaryChain.of(getResource(fileName).asString())`
`177`	`177`	`.chain(this::replaceMainAddressPlaceholder)`
`@@ -189,7 +189,7 @@ public Response javaScriptResponse(String fileName) {`
`189`	`189`	`.setStatus(200)`
`190`	`190`	`.build();`
`191`	`191`	`} catch (UncheckedIOException e) {`
`192`		`- return notFound404("JS File not found from jar: " + fileName + ", " + e);`
	`192`	`+ return notFound404("Javascript File not found");`
`193`	`193`	`}`
`194`	`194`	`}`
`195`	`195`
`@@ -217,23 +217,23 @@ public Response cssResponse(@Untrusted String fileName) {`
`217`	`217`	`.setStatus(200)`
`218`	`218`	`.build();`
`219`	`219`	`} catch (UncheckedIOException e) {`
`220`		`- return notFound404("CSS File not found from jar: " + fileName + ", " + e);`
	`220`	`+ return notFound404("CSS File not found");`
`221`	`221`	`}`
`222`	`222`	`}`
`223`	`223`
`224`		`- public Response imageResponse(String fileName) {`
	`224`	`+ public Response imageResponse(@Untrusted String fileName) {`
`225`	`225`	`try {`
`226`	`226`	`return Response.builder()`
`227`	`227`	`.setMimeType(MimeType.IMAGE)`
`228`	`228`	`.setContent(getResource(fileName))`
`229`	`229`	`.setStatus(200)`
`230`	`230`	`.build();`
`231`	`231`	`} catch (UncheckedIOException e) {`
`232`		`- return notFound404("Image File not found from jar: " + fileName + ", " + e);`
	`232`	`+ return notFound404("Image File not found");`
`233`	`233`	`}`
`234`	`234`	`}`
`235`	`235`
`236`		`- public Response fontResponse(String fileName) {`
	`236`	`+ public Response fontResponse(@Untrusted String fileName) {`
`237`	`237`	`String type;`
`238`	`238`	`if (fileName.endsWith(".woff")) {`
`239`	`239`	`type = MimeType.FONT_WOFF;`
`@@ -252,7 +252,7 @@ public Response fontResponse(String fileName) {`
`252`	`252`	`.setContent(getResource(fileName))`
`253`	`253`	`.build();`
`254`	`254`	`} catch (UncheckedIOException e) {`
`255`		`- return notFound404("Font File not found from jar: " + fileName + ", " + e);`
	`255`	`+ return notFound404("Font File not found");`
`256`	`256`	`}`
`257`	`257`	`}`
`258`	`258`
Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ private InputQueryDto parseInputQueryFromQueryParams(@Untrusted Request request)`
`164`	`164`	`.orElseThrow(() -> new BadRequestException("'view' parameter not set (expecting json object {afterDate, afterTime, beforeDate, beforeTime})"));`
`165`	`165`	`return new InputQueryDto(view, queryFilters);`
`166`	`166`	`} catch (IOException e) {`
`167`		`- throw new BadRequestException("Failed to decode json: '" + q + "', " + e.getMessage());`
	`167`	`+ throw new BadRequestException("Failed to decode json");`
`168`	`168`	`}`
`169`	`169`	`}`
`170`	`170`
`@@ -202,7 +202,7 @@ private Response buildAndStoreResponse(InputQueryDto input, Filter.Result result`
`202`	`202`	`.setJSONContent(stored.json)`
`203`	`203`	`.build();`
`204`	`204`	`} catch (ParseException e) {`
`205`		`- throw new BadRequestException("'view' date format was incorrect (expecting afterDate dd/mm/yyyy, afterTime hh:mm, beforeDate dd/mm/yyyy, beforeTime hh:mm}): " + e.getMessage());`
	`205`	`+ throw new BadRequestException("'view' date format was incorrect (expecting afterDate dd/mm/yyyy, afterTime hh:mm, beforeDate dd/mm/yyyy, beforeTime hh:mm})");`
`206`	`206`	`}`
`207`	`207`	`}`
`208`	`208`