(axis-axis2-java-core) 01/02: Add some more invalid JSON protection to avoid sensitive info disclosure

robertlazarski Sun, 23 Nov 2025 12:46:25 -0800

This is an automated email from the ASF dual-hosted git repository.

robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git


commit 9534bc19f5bdd431b654dff2a74f9b4b69d7471c
Author: Robert Lazarski <[email protected]>
AuthorDate: Sun Nov 23 10:28:43 2025 -1000

    Add some more invalid JSON protection to avoid sensitive info disclosure
---
 .../apache/axis2/json/gson/JSONMessageHandler.java | 14 +++++++---
 .../axis2/json/moshi/JSONMessageHandler.java       | 14 +++++++---
 .../apache/axis2/transport/http/AxisServlet.java   | 31 +++++++++++++++++++++-
 3 files changed, 50 insertions(+), 9 deletions(-)

diff --git 
a/modules/json/src/org/apache/axis2/json/gson/JSONMessageHandler.java 
b/modules/json/src/org/apache/axis2/json/gson/JSONMessageHandler.java
index 6c48169829..592a155ce8 100644
--- a/modules/json/src/org/apache/axis2/json/gson/JSONMessageHandler.java
+++ b/modules/json/src/org/apache/axis2/json/gson/JSONMessageHandler.java
@@ -94,7 +94,12 @@ public class JSONMessageHandler extends AbstractHandler {
                 }
             }
         } else {
-            String enableJSONOnly = (String)  
msgContext.getAxisService().getParameterValue("enableJSONOnly");
+            AxisService axisService = msgContext.getAxisService();
+            if (axisService == null) {
+                log.error("AxisService is null in MessageContext, cannot 
process JSON request");
+                throw new AxisFault("Bad Request: Service not found");
+            }
+            String enableJSONOnly = (String) 
axisService.getParameterValue("enableJSONOnly");
             if (enableJSONOnly !=null && 
enableJSONOnly.equalsIgnoreCase("true")) {
                 log.debug("On enableJSONOnly=true Axis operation is null on 
JSON request, message hasn't been dispatched to an operation, proceeding on 
JSON message name discovery and AxisOperation mapping");
                 try{
@@ -109,15 +114,16 @@ public class JSONMessageHandler extends AbstractHandler {
                             String messageName=jsonReader.nextName();     // 
get message name from input json stream
                             if (messageName == null) {
                                 log.error("JSONMessageHandler can't find 
messageName: " +messageName);
-                                throw new IOException("Bad Request");
+                                throw new AxisFault("Bad Request: Invalid JSON 
message format");
                             } else {
                                 log.debug("JSONMessageHandler found 
messageName: " +messageName);
                                 msgContext.setProperty("jsonMessageName", 
messageName);
                             }
                         }
                    }
-                } catch(Exception e){
-                   log.error("JSONMessageHandler error: " +e.getMessage());
+                } catch(Exception ex){
+                   log.error("JSONMessageHandler error: " +ex.getMessage(), 
ex);
+                   throw new AxisFault(ex.getMessage());
                 }
             } else {
                 log.debug("On enableJSONOnly=false Axis operation is null, 
ignore it");
diff --git 
a/modules/json/src/org/apache/axis2/json/moshi/JSONMessageHandler.java 
b/modules/json/src/org/apache/axis2/json/moshi/JSONMessageHandler.java
index b9d7b7f553..28f4fd8fa5 100644
--- a/modules/json/src/org/apache/axis2/json/moshi/JSONMessageHandler.java
+++ b/modules/json/src/org/apache/axis2/json/moshi/JSONMessageHandler.java
@@ -94,7 +94,12 @@ public class JSONMessageHandler extends AbstractHandler {
                 }
             }
         } else {
-            String enableJSONOnly = (String) 
msgContext.getAxisService().getParameterValue("enableJSONOnly");
+            AxisService axisService = msgContext.getAxisService();
+            if (axisService == null) {
+                log.error("AxisService is null in MessageContext, cannot 
process JSON request");
+                throw new AxisFault("Bad Request: Service not found");
+            }
+            String enableJSONOnly = (String) 
axisService.getParameterValue("enableJSONOnly");
             if (enableJSONOnly !=null && 
enableJSONOnly.equalsIgnoreCase("true")) {
                 log.debug("On enableJSONOnly=true Axis operation is null on 
JSON request, message hasn't been dispatched to an operation, proceeding on 
JSON message name discovery and AxisOperation mapping");
                 try{
@@ -108,15 +113,16 @@ public class JSONMessageHandler extends AbstractHandler {
                             String messageName=jsonReader.nextName();     // 
get message name from input json stream
                             if (messageName == null) {
                                 log.error("JSONMessageHandler can't find 
messageName: " +messageName);
-                                throw new IOException("Bad Request");
+                                throw new AxisFault("Bad Request: Invalid JSON 
message format");
                             } else {
                                 log.debug("JSONMessageHandler found 
messageName: " +messageName);
                                 msgContext.setProperty("jsonMessageName", 
messageName);
                             }
                         }
                    }
-                } catch(Exception e){
-                   log.error("JSONMessageHandler error: " +e.getMessage());
+                } catch(Exception ex){
+                   log.error("JSONMessageHandler error: " +ex.getMessage(), 
ex);
+                   throw new AxisFault(ex.getMessage());
                 }
             } else {
                 log.debug("On enableJSONOnly=false Axis operation is null, 
ignore it");
diff --git 
a/modules/transport/http/src/main/java/org/apache/axis2/transport/http/AxisServlet.java
 
b/modules/transport/http/src/main/java/org/apache/axis2/transport/http/AxisServlet.java
index 199d757edb..dfbbaea645 100644
--- 
a/modules/transport/http/src/main/java/org/apache/axis2/transport/http/AxisServlet.java
+++ 
b/modules/transport/http/src/main/java/org/apache/axis2/transport/http/AxisServlet.java
@@ -370,7 +370,7 @@ public class AxisServlet extends HttpServlet {
      * @throws IOException
      */
     protected void showJSONOnlyErrorMessage(HttpServletResponse response) 
throws IOException {
-        response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+        response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
         PrintWriter writer = new PrintWriter(response.getOutputStream());
         writer.println("{ \"status\": \"error\",\"message\":\"content-type of 
application/json is mandatory\"}");
         writer.flush();
@@ -409,6 +409,35 @@ public class AxisServlet extends HttpServlet {
     void processAxisFault(MessageContext msgContext, HttpServletResponse res,
                           OutputStream out, AxisFault e) {
         try {
+            // Check for JSON-only mode to provide clean JSON error response
+            if (enableJSONOnly) {
+                res.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+                res.setContentType("application/json");
+                try {
+                    // Handle common error cases with specific messages, 
fallback to generic for uncommon errors
+                    String errorMessage;
+                    if (e.getMessage() != null && 
e.getMessage().contains("Service not found")) {
+                        errorMessage = "Service not found";
+                    } else if (e.getMessage() != null && 
e.getMessage().contains("Invalid JSON")) {
+                        errorMessage = "Invalid JSON message format";
+                    } else {
+                        // Generic message for any uncommon/unexpected 
exceptions from JSONMessageHandler
+                        errorMessage = "Bad Request";
+                    }
+                    String jsonError = "{\"error\":\"" + errorMessage + "\"}";
+                    res.getWriter().write(jsonError);
+                    return;
+                } catch (IOException ioEx) {
+                    log.error("Error writing JSON error response", ioEx);
+                    // Fallback to minimal response if even the generic JSON 
write fails
+                    try {
+                        res.getWriter().write("{\"error\":\"Request 
failed\"}");
+                    } catch (IOException fallbackEx) {
+                        log.error("Failed to write fallback JSON error 
response", fallbackEx);
+                    }
+                }
+            }
+
             // If the fault is not going along the back channel we should be 
202ing
             if (AddressingHelper.isFaultRedirected(msgContext)) {
                 res.setStatus(HttpServletResponse.SC_ACCEPTED);

(axis-axis2-java-core) 01/02: Add some more invalid JSON protection to avoid sensitive info disclosure

Reply via email to