Your browser was unable to load all of the resources. They may have been blocked by your firewall, proxy or browser configuration.
Press Ctrl+F5 or Ctrl+Shift+R to have your browser try again.

Show too detailed errors to the user #4341

tung.nh1 ·

Dear managers,
I was access build https://build.pmease.com/build/aaa.
Quickbuild links are easy to break and expose exception information. In addition, the even more "troubling" information exposure is giving a list of detailed info on server info like OS, user etc. This is rather dangerous for exploiting quickbuild servers including unauthorised users, attackers who have penetrated the network and try to escalate their attack etc.
Error detail:

Error Details: 

Message: Can't instantiate page using constructor 'public com.pmease.quickbuild.web.page.build.BuildPage(org.apache.wicket.request.mapper.parameter.PageParameters)' and argument '0=[aaa], '. Might be it doesn't exist, may be it is not visible (public).

Root cause:

java.lang.NumberFormatException: For input string: "aaa"
	 at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
	 at java.lang.Long.parseLong(Long.java:589)
	 at java.lang.Long.valueOf(Long.java:803)
	 at com.pmease.quickbuild.web.page.build.BuildPage.getConfigurationId(BuildPage.java:124)
	 at com.pmease.quickbuild.web.page.build.BuildPage.<init>(BuildPage.java:172)
	 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:173)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:97)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:47)
	 at org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:107)
	 at org.apache.wicket.request.handler.PageProvider.getPageInstance(PageProvider.java:273)
	 at org.apache.wicket.request.handler.PageProvider.getPageInstance(PageProvider.java:167)
	 at org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78)
	 at org.apache.wicket.request.handler.render.WebPageRenderer.renderPage(WebPageRenderer.java:105)
	 at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:182)
	 at org.apache.wicket.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:147)
	 at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:719)
	 at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:63)
	 at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:210)
	 at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:253)
	 at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:162)
	 at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:137)
	 at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	 at com.pmease.quickbuild.web.MainServlet.service(MainServlet.java:135)
	 at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	 at org.eclipse.equinox.http.helper.FilterServletAdaptor$FilterChainImpl.doFilter(FilterServletAdaptor.java:56)
	 at org.eclipse.jetty.servlets.UserAgentFilter.doFilter(UserAgentFilter.java:83)
	 at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:365)
	 at org.eclipse.equinox.http.helper.FilterServletAdaptor.service(FilterServletAdaptor.java:37)
	 at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
	 at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
	 at com.pmease.quickbuild.Quickbuild$DisableTraceFilter.doFilter(Quickbuild.java:1178)
	 at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	 at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
	 at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	 at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	 at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	 at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	 at org.eclipse.jetty.server.Server.handle(Server.java:499)
	 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
	 at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:258)
	 at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	 at java.lang.Thread.run(Thread.java:821)


Complete stack:

org.apache.wicket.WicketRuntimeException: Can't instantiate page using constructor 'public com.pmease.quickbuild.web.page.build.BuildPage(org.apache.wicket.request.mapper.parameter.PageParameters)' and argument '0=[aaa], '. Might be it doesn't exist, may be it is not visible (public).
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:196)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:97)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:47)
	 at org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:107)
	 at org.apache.wicket.request.handler.PageProvider.getPageInstance(PageProvider.java:273)
	 at org.apache.wicket.request.handler.PageProvider.getPageInstance(PageProvider.java:167)
	 at org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78)
	 at org.apache.wicket.request.handler.render.WebPageRenderer.renderPage(WebPageRenderer.java:105)
	 at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:182)
	 at org.apache.wicket.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:147)
	 at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:719)
	 at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:63)
	 at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:210)
	 at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:253)
	 at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:162)

java.lang.reflect.InvocationTargetException
	 at sun.reflect.GeneratedConstructorAccessor242.newInstance(Unknown Source)
	 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	 at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:173)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:97)
	 at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:47)
	 at org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:107)
	 at org.apache.wicket.request.handler.PageProvider.getPageInstance(PageProvider.java:273)
	 at org.apache.wicket.request.handler.PageProvider.getPageInstance(PageProvider.java:167)
	 at org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78)
	 at org.apache.wicket.request.handler.render.WebPageRenderer.renderPage(WebPageRenderer.java:105)
	 at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:182)
	 at org.apache.wicket.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:147)
	 at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:719)
	 at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:63)
	 at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:210)
	 at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:253)
	 at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:162)

Do you any solution for it ?

  • replies 15
  • views 1379
  • stars 0
SVMC_DPI ·

I worry about this too.

While exposed server information is not necessarily in itself a vulnerability, it is information that can assist attackers in exploiting other vulnerabilities that may exist. Exposed server information can also lead attackers to find version-specific service.

The first information shown could be sent automatically to the support team with the info of the authorised user.
If user is not authorised, don't show any info.

Or can we have any option to show/hide detail error log on web page and via API response?

thang.dv2 ·

I think this a necessary topic to hide more sensitive service information.

tung.nh1 ·

It is better if we only show log detail with Admin and hide with users.

robinshen ADMIN ·
tung.nh1 ·

Hi@robinshen
Can you change it in QB8 ? Currently, my quickbuild we using is QB8.

robinshen ADMIN ·

For this specific issue, we will backport this into QB8. However I suggest to upgrade to latest version if possible as we no longer maintain that version.

tung.nh1 ·

@robinshen
I was download source latest and I checked it but it seem that it not hide server information:

Below information will also be sent to help us analyzing the problem.
Host Name	xxxxxx
System Date and Time	2021-06-03 11:21:06
Operating System	Linux 4.15.0-72-generic, amd64
OS User Name	root
JVM	OpenJDK 64-Bit Server VM 1.8.0_265, Private Build
QuickBuild Version	8.0.x - Thu May 16 13:20:04 KST 2019
Current User	tung.nh1
Total Memory	250.00 GB
Used Memory	193.99 GB
Configurations	18216

Could you help me fix it ?

robinshen ADMIN ·

Actually this info is populated automatically so that user can send us error details. Without this, user has to fill all the details manually (and often forget to fill some important info) to send us error report.

tung.nh1 ·

it's better we should hide it with user. I think so.

robinshen ADMIN ·

I plan to make the change so that only administrator can send error report as normal user will lack many important information. What do you think?

tung.nh1 ·

Great.
Please change it as soon as possible. Thank you.

tung.nh1 ·

Hi@robinshen
Do you have any action for this function?

robinshen ADMIN ·

Not yet. I am hesitating on doing this as this makes bug report very inconvenient for normal users...

thang.dv2 ·

We can report detail bug, but not should show too detail :((( I think so. I mean we just notify for normal user know which fields (like OS, .....) will be report, but not show detail...

robinshen ADMIN ·