Contrib.social

GET collection call with invalid page offset results in 500 error

Open on Drupal.org β†’
Created on 14 August 2023, 11 months ago

Problem/Motivation

A third party integrates our Drupal JSON:API. They are sometimes calling the API with invalid filters. Which is not a big problem but the invalid filters are not "just ignored" or tell the user "You did something wrong" but it is throwing a totally unhelpful 500 server error. This then alerts our error reporting system which should not be alerted in this case.

In my opinion it should not be possible to trigger 500 errors with normal get collection calls.

Steps to reproduce

  1. Install jsonapi
  2. Install jsonapi_extras and expose the count (unsure if this is necessary. It is just our current setup and jsonapi_extras is in the call stack.)
  3. Call a collection endpoint with a page offset filter without a parameter e.g/jsonapi/node/entity?page[offset]
  4. There is a 500 error but there should be a validation constraint triggered

Exception callstack:

TypeError: Unsupported operand types: string + int in Drupal\jsonapi\Controller\EntityResource::getPagerQueries() (line 1345 of /app/web/core/modules/jsonapi/src/Controller/EntityResource.php) #0 /app/web/core/modules/jsonapi/src/Controller/EntityResource.php(1302): Drupal\jsonapi\Controller\EntityResource::getPagerQueries('next', '', 50, Array)
#1 /app/web/core/modules/jsonapi/src/Controller/EntityResource.php(1061): Drupal\jsonapi\Controller\EntityResource::getPagerLinks(Object(Symfony\Component\HttpFoundation\Request), Object(Drupal\jsonapi\Query\OffsetPage), Array)
#2 /app/web/core/modules/jsonapi/src/Controller/EntityResource.php(469): Drupal\jsonapi\Controller\EntityResource->respondWithCollection(Object(Drupal\jsonapi\JsonApiResource\ResourceObjectData), Object(Drupal\jsonapi\JsonApiResource\NullIncludedData), Object(Symfony\Component\HttpFoundation\Request), Object(Drupal\jsonapi_extras\ResourceType\ConfigurableResourceType), Object(Drupal\jsonapi\Query\OffsetPage))
#3 [internal function]: Drupal\jsonapi\Controller\EntityResource->getCollection(Object(Drupal\jsonapi_extras\ResourceType\ConfigurableResourceType), Object(Symfony\Component\HttpFoundation\Request))
#4 /app/web/core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php(123): call_user_func_array(Array, Array)
#5 /app/web/core/lib/Drupal/Core/Render/Renderer.php(580): Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}()

Proposed resolution

  1. Validate all parameters with validation constraints before using them.
  2. Expose the validation constraint error messages in the Json:API 400 error response

Or alternatively we could agree to ignore invalid parameters. This could however confuse the user more then a good error message.

πŸ› Bug report
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany yobottehg

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024