Add an exception signalling invalid multipart bodies, pass as a decode result (#4861)

Resolves #4858

Invalid multiparts are "expected" exceptions, in that they can be caused
by an bad request, not by a bug in the interpreter

Author: adamw

server/akka-http-server/src/main/scala/sttp/tapir/server/akkahttp/AkkaRequestBody.scala

@@ -10,6 +10,7 @@ import sttp.capabilities.akka.AkkaStreams
 import sttp.model.{Header, Part}
 import sttp.tapir.model.ServerRequest
 import sttp.tapir.server.interpreter.{RawValue, RequestBody}
+import sttp.tapir.server.model.InvalidMultipartBodyException
 import sttp.tapir.{FileRange, RawBodyType, RawPart, InputStreamRange}
 
 import scala.concurrent.{ExecutionContext, Future}
@@ -59,14 +60,17 @@ private[akkahttp] class AkkaRequestBody(serverOptions: AkkaHttpServerOptions)(im
       case RawBodyType.InputStreamRangeBody =>
         Future.successful(RawValue(InputStreamRange(() => body.dataBytes.runWith(StreamConverters.asInputStream()))))
       case m: RawBodyType.MultipartBody =>
-        implicitly[FromEntityUnmarshaller[Multipart.FormData]].apply(body).flatMap { fd =>
-          fd.parts
-            .mapConcat(part => m.partType(part.name).map((part, _)).toList)
-            .mapAsync[RawPart](1) { case (part, codecMeta) => toRawPart(request, part, codecMeta) }
-            .runWith[Future[scala.collection.immutable.Seq[RawPart]]](Sink.seq)
-            .map(RawValue.fromParts)
-            .asInstanceOf[Future[RawValue[R]]]
-        }
+        implicitly[FromEntityUnmarshaller[Multipart.FormData]]
+          .apply(body)
+          .flatMap { fd =>
+            fd.parts
+              .mapConcat(part => m.partType(part.name).map((part, _)).toList)
+              .mapAsync[RawPart](1) { case (part, codecMeta) => toRawPart(request, part, codecMeta) }
+              .runWith[Future[scala.collection.immutable.Seq[RawPart]]](Sink.seq)
+              .map(RawValue.fromParts)
+              .asInstanceOf[Future[RawValue[R]]]
+          }
+          .recoverWith { case e: ParsingException => Future.failed(InvalidMultipartBodyException(e)) }
     }
   }
 

server/armeria-server/src/main/scala/sttp/tapir/server/armeria/ArmeriaRequestBody.scala

@@ -1,13 +1,14 @@
 package sttp.tapir.server.armeria
 
 import com.linecorp.armeria.common.HttpData
-import com.linecorp.armeria.common.multipart.{AggregatedBodyPart, Multipart}
+import com.linecorp.armeria.common.multipart.{AggregatedBodyPart, MimeParsingException, Multipart}
 import com.linecorp.armeria.common.stream.{StreamMessage, StreamMessages}
 import com.linecorp.armeria.server.ServiceRequestContext
 import sttp.capabilities.Streams
 import sttp.model.Part
 import sttp.tapir.model.ServerRequest
 import sttp.tapir.server.interpreter.{RawValue, RequestBody}
+import sttp.tapir.server.model.InvalidMultipartBodyException
 import sttp.tapir.{FileRange, InputStreamRange, RawBodyType}
 
 import java.io.ByteArrayInputStream
@@ -77,6 +78,7 @@ private[armeria] final class ArmeriaRequestBody[F[_], S <: Streams[S]](
               .sequence(rawParts)
               .map(RawValue.fromParts(_))
           })
+          .recoverWith { case e: MimeParsingException => Future.failed(InvalidMultipartBodyException(e)) }
           .asInstanceOf[Future[RawValue[R]]]
     })
   }

server/core/src/main/scala/sttp/tapir/server/interceptor/exception/ExceptionHandler.scala

@@ -3,7 +3,7 @@ package sttp.tapir.server.interceptor.exception
 import sttp.capabilities.StreamMaxLengthExceededException
 import sttp.model.StatusCode
 import sttp.monad.MonadError
-import sttp.tapir.server.model.ValuedEndpointOutput
+import sttp.tapir.server.model.{InvalidMultipartBodyException, ValuedEndpointOutput}
 import sttp.tapir._
 
 trait ExceptionHandler[F[_]] {
@@ -31,6 +31,8 @@ case class DefaultExceptionHandler[F[_]](response: (StatusCode, String) => Value
         monad.unit(Some(response(StatusCode.PayloadTooLarge, s"Payload limit (${maxBytes}B) exceeded")))
       case (_, StreamMaxLengthExceededException(maxBytes)) =>
         monad.unit(Some(response(StatusCode.PayloadTooLarge, s"Payload limit (${maxBytes}B) exceeded")))
+      case (InvalidMultipartBodyException(_, _), _) =>
+        monad.unit(Some(response(StatusCode.BadRequest, s"Invalid multipart body")))
       case _ =>
         monad.unit(Some(response(StatusCode.InternalServerError, "Internal server error")))
     }

server/core/src/main/scala/sttp/tapir/server/interpreter/ServerInterpreter.scala

@@ -7,7 +7,7 @@ import sttp.monad.syntax._
 import sttp.tapir.internal.{Params, ParamsAsAny, RichOneOfBody}
 import sttp.tapir.model.ServerRequest
 import sttp.tapir.server.interceptor._
-import sttp.tapir.server.model.{MaxContentLength, ServerResponse, ValuedEndpointOutput}
+import sttp.tapir.server.model.{InvalidMultipartBodyException, MaxContentLength, ServerResponse, ValuedEndpointOutput}
 import sttp.tapir.server.{model, _}
 import sttp.tapir.{DecodeResult, EndpointIO, EndpointInput, TapirFile}
 import sttp.tapir.EndpointInfo
@@ -197,7 +197,9 @@ class ServerInterpreter[R, F[_], B, S](
               .map(_ => DecodeBasicInputsResult.Failure(bodyInput, failure): DecodeBasicInputsResult)
         }
       }
-      .handleError { case e: StreamMaxLengthExceededException =>
+      // if the exception is "known" - might be the result of a malformed body - treating as a decode failure
+      // otherwise, it's a bug in the interpreter
+      .handleError { case e @ (StreamMaxLengthExceededException(_) | InvalidMultipartBodyException(_, _)) =>
         (DecodeBasicInputsResult.Failure(bodyInput, DecodeResult.Error("", e)): DecodeBasicInputsResult).unit
       }
   }

server/core/src/main/scala/sttp/tapir/server/model/InvalidMultipartBodyException.scala

@@ -0,0 +1,8 @@
+package sttp.tapir.server.model
+
+case class InvalidMultipartBodyException(message: String, cause: Throwable) extends Exception(message, cause)
+
+object InvalidMultipartBodyException {
+  def apply(cause: Throwable): InvalidMultipartBodyException = new InvalidMultipartBodyException(cause.getMessage, cause)
+  def apply(message: String): InvalidMultipartBodyException = InvalidMultipartBodyException(message, null)
+}

server/jdkhttp-server/src/main/scala/sttp/tapir/server/jdkhttp/internal/JdkHttpRequestBody.scala

@@ -9,6 +9,7 @@ import sttp.tapir.capabilities.NoStreams
 import sttp.tapir.model.ServerRequest
 import sttp.tapir.server.interpreter.{RawValue, RequestBody}
 import sttp.tapir.server.jdkhttp.internal.ParsedMultiPart.parseMultipartBody
+import sttp.tapir.server.model.InvalidMultipartBodyException
 import sttp.tapir.{FileRange, InputStreamRange, RawBodyType, RawPart, TapirFile}
 
 import java.io._
@@ -67,20 +68,24 @@ private[jdkhttp] class JdkHttpRequestBody(createFile: ServerRequest => TapirFile
     val httpExchange = jdkHttpRequest(request)
     val boundary = extractBoundary(httpExchange)
 
-    parseMultipartBody(requestBody, boundary, multipartFileThresholdBytes).flatMap(parsedPart =>
-      parsedPart.getName.flatMap(name =>
-        m.partType(name)
-          .map(partType => {
-            val bodyRawValue = toRaw(request, partType, parsedPart.getBody, maxBytes = None)
-            Part(
-              name,
-              bodyRawValue.value,
-              otherDispositionParams = parsedPart.getDispositionParams - "name",
-              headers = parsedPart.fileItemHeaders
-            )
-          })
+    try {
+      parseMultipartBody(requestBody, boundary, multipartFileThresholdBytes).flatMap(parsedPart =>
+        parsedPart.getName.flatMap(name =>
+          m.partType(name)
+            .map(partType => {
+              val bodyRawValue = toRaw(request, partType, parsedPart.getBody, maxBytes = None)
+              Part(
+                name,
+                bodyRawValue.value,
+                otherDispositionParams = parsedPart.getDispositionParams - "name",
+                headers = parsedPart.fileItemHeaders
+              )
+            })
+        )
       )
-    )
+    } catch {
+      case e: Exception if e.getMessage().contains("Parsing multipart failed") => throw InvalidMultipartBodyException(e)
+    }
   }
 
   override def toStream(serverRequest: ServerRequest, maxBytes: Option[Long]): streams.BinaryStream =

server/netty-server/src/main/scala/sttp/tapir/server/netty/internal/NettyRequestBody.scala

@@ -11,6 +11,7 @@ import sttp.monad.MonadError
 import sttp.monad.syntax._
 import sttp.tapir.model.ServerRequest
 import sttp.tapir.server.interpreter.{RawValue, RequestBody}
+import sttp.tapir.server.model.InvalidMultipartBodyException
 import sttp.tapir.server.netty.internal.reactivestreams.SubscriberInputStream
 import sttp.tapir.{FileRange, InputStreamRange, RawBodyType, RawPart, TapirFile}
 
@@ -85,8 +86,9 @@ private[netty] trait NettyRequestBody[F[_], S <: Streams[S]] extends RequestBody
       } yield RawValue(FileRange(file), Seq(FileRange(file)))
     case m: RawBodyType.MultipartBody =>
       serverRequest.underlying match {
-        case r: StreamedHttpRequest => publisherToMultipart(r, serverRequest, m, maxBytes)
-        case _                      => monad.error(new UnsupportedOperationException("Expected a streamed request for multipart body"))
+        case r: StreamedHttpRequest                                  => publisherToMultipart(r, serverRequest, m, maxBytes)
+        case r if r.getClass().getSimpleName() == "EmptyHttpRequest" => monad.error(InvalidMultipartBodyException("Empty multipart body"))
+        case _ => monad.error(new UnsupportedOperationException("Expected a streamed request for multipart body"))
       }
   }
 

server/pekko-http-server/src/main/scala/sttp/tapir/server/pekkohttp/PekkoRequestBody.scala

@@ -1,6 +1,6 @@
 package sttp.tapir.server.pekkohttp
 
-import org.apache.pekko.http.scaladsl.model.{EntityStreamSizeException, HttpEntity, Multipart, RequestEntity}
+import org.apache.pekko.http.scaladsl.model.{EntityStreamSizeException, HttpEntity, Multipart, ParsingException, RequestEntity}
 import org.apache.pekko.http.scaladsl.server.RequestContext
 import org.apache.pekko.http.scaladsl.unmarshalling.FromEntityUnmarshaller
 import org.apache.pekko.stream.scaladsl.{FileIO, Sink, _}
@@ -10,6 +10,7 @@ import sttp.capabilities.pekko.PekkoStreams
 import sttp.model.{Header, Part}
 import sttp.tapir.model.ServerRequest
 import sttp.tapir.server.interpreter.{RawValue, RequestBody}
+import sttp.tapir.server.model.InvalidMultipartBodyException
 import sttp.tapir.{FileRange, InputStreamRange, RawBodyType, RawPart}
 
 import scala.concurrent.{ExecutionContext, Future}
@@ -59,14 +60,17 @@ private[pekkohttp] class PekkoRequestBody(serverOptions: PekkoHttpServerOptions)
       case RawBodyType.InputStreamRangeBody =>
         Future.successful(RawValue(InputStreamRange(() => body.dataBytes.runWith(StreamConverters.asInputStream()))))
       case m: RawBodyType.MultipartBody =>
-        implicitly[FromEntityUnmarshaller[Multipart.FormData]].apply(body).flatMap { fd =>
-          fd.parts
-            .mapConcat(part => m.partType(part.name).map((part, _)).toList)
-            .mapAsync[RawPart](1) { case (part, codecMeta) => toRawPart(request, part, codecMeta) }
-            .runWith[Future[scala.collection.immutable.Seq[RawPart]]](Sink.seq)
-            .map(RawValue.fromParts)
-            .asInstanceOf[Future[RawValue[R]]]
-        }
+        implicitly[FromEntityUnmarshaller[Multipart.FormData]]
+          .apply(body)
+          .flatMap { fd =>
+            fd.parts
+              .mapConcat(part => m.partType(part.name).map((part, _)).toList)
+              .mapAsync[RawPart](1) { case (part, codecMeta) => toRawPart(request, part, codecMeta) }
+              .runWith[Future[scala.collection.immutable.Seq[RawPart]]](Sink.seq)
+              .map(RawValue.fromParts)
+              .asInstanceOf[Future[RawValue[R]]]
+          }
+          .recoverWith { case e: ParsingException => Future.failed(InvalidMultipartBodyException(e)) }
     }
   }
 

server/tests/src/main/scala/sttp/tapir/server/tests/ServerMultipartTests.scala

@@ -187,6 +187,46 @@ class ServerMultipartTests[F[_], OPTIONS, ROUTE](
             r.code shouldBe StatusCode.Ok
             r.body should be("firstPart:BODYONE\r\n--AA\n__\nsecondPart:BODYTWO")
           }
+      },
+      testServer(in_raw_multipart_out_string, "empty multipart body")((parts: Seq[Part[Array[Byte]]]) =>
+        pureResult(parts.length.toString.asRight[Unit])
+      ) { (backend, baseUri) =>
+        basicStringRequest
+          .post(uri"$baseUri/api/echo/multipart")
+          .header("Content-Type", "multipart/form-data; boundary=AAB")
+          .body("")
+          .send(backend)
+          .map { r =>
+            // no parts should be parsed, or a bad request should be returned
+            r.code match {
+              case StatusCode.BadRequest => succeed
+              case StatusCode.Ok         => r.body should be("0")
+              case _ =>
+                fail("Expected BadRequest, but got " + r.code)
+            }
+          }
+      },
+      testServer(in_raw_multipart_out_string, "invalid multipart body")((parts: Seq[Part[Array[Byte]]]) =>
+        pureResult(parts.length.toString.asRight[Unit])
+      ) { (backend, baseUri) =>
+        val testBody = "--ABC\r\n" + // different boundary
+          "Content-Disposition: form-data; name=\"firstPart\"\r\n" +
+          "Content-Type: text/plain\r\n" +
+          "-ABC\r\n" // invalid boundary
+        basicStringRequest
+          .post(uri"$baseUri/api/echo/multipart")
+          .header("Content-Type", "multipart/form-data; boundary=AAB")
+          .body(testBody)
+          .send(backend)
+          .map { r =>
+            // no parts should be parsed, or a bad request should be returned
+            r.code match {
+              case StatusCode.BadRequest => succeed
+              case StatusCode.Ok         => r.body should be("0")
+              case _ =>
+                fail("Expected BadRequest, but got " + r.code)
+            }
+          }
       }
     )
   }