refactor: update version references to 1.5.0-RC1 across multiple files and add XssValidationException

[PasinduOG]

Summary by CodeRabbit

• New Features

  • Added enhanced XSS protection with dedicated validation error responses for suspicious payloads.

• Bug Fixes

  • Improved null-safety handling in validation error messages.
  • Enhanced detection of XSS threats in malformed JSON requests.

• Chores

  • Version bumped to 1.5.0-RC1 release candidate.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 80235ed9-5773-4312-a194-6c43fd3ce3ab

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/v1.5.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CODE_OF_CONDUCT.md`:
- Line 49: Add a period to the end of the sentence "To report a possible
violation, please email **pasinduogdev@gmail.com**" in CODE_OF_CONDUCT.md so it
reads with proper punctuation; locate that exact line and append a period to the
end of the sentence.

In `@src/main/java/io/github/og4dev/config/ApiResponseAutoConfiguration.java`:
- Line 220: The throw of XssValidationException is currently not mapped so it
falls through to the catch-all `@ExceptionHandler`(Exception.class) and returns
500; fix by mapping this exception to 400: either add an entry to
ApiExceptionRegistry that maps XssValidationException to HttpStatus.BAD_REQUEST
(so the existing resolution logic handles it), or add an explicit handler method
in GlobalExceptionHandler annotated with
`@ExceptionHandler`(XssValidationException.class) that returns a ResponseEntity
with HttpStatus.BAD_REQUEST and the appropriate error body; locate references to
XssValidationException, ApiExceptionRegistry, and GlobalExceptionHandler to
implement the chosen change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 69abd270-e396-434e-a713-14f52cc6101b

📥 Commits

Reviewing files that changed from the base of the PR and between d57b022 and d98c82e.

📒 Files selected for processing (26)

• CODE_OF_CONDUCT.md
• README.md
• pom.xml
• src/main/java/io/github/og4dev/advice/GlobalResponseWrapper.java
• src/main/java/io/github/og4dev/advice/package-info.java
• src/main/java/io/github/og4dev/annotation/AutoResponse.java
• src/main/java/io/github/og4dev/annotation/AutoTrim.java
• src/main/java/io/github/og4dev/annotation/XssCheck.java
• src/main/java/io/github/og4dev/annotation/package-info.java
• src/main/java/io/github/og4dev/config/ApiResponseAutoConfiguration.java
• src/main/java/io/github/og4dev/config/package-info.java
• src/main/java/io/github/og4dev/dto/ApiResponse.java
• src/main/java/io/github/og4dev/dto/package-info.java
• src/main/java/io/github/og4dev/exception/ApiException.java
• src/main/java/io/github/og4dev/exception/ApiExceptionRegistry.java
• src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java
• src/main/java/io/github/og4dev/exception/XssValidationException.java
• src/main/java/io/github/og4dev/exception/package-info.java
• src/main/java/io/github/og4dev/filter/TraceIdFilter.java
• src/main/java/io/github/og4dev/filter/package-info.java
• src/main/java/io/github/og4dev/package-info.java
• src/test/java/io/github/og4dev/advice/GlobalResponseWrapperTest.java
• src/test/java/io/github/og4dev/annotation/AutoResponseAnnotationTest.java
• src/test/java/io/github/og4dev/config/AdvancedStringDeserializerTest.java
• src/test/java/io/github/og4dev/exception/ApiExceptionRegistryTest.java
• src/test/java/io/github/og4dev/exception/GlobalExceptionHandlerTest.java

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java (1)

236-244: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add missing HttpMessageNotReadableException handler and fix mislabeled XSS handler

Malformed JSON requests will return HTTP 500 instead of 400 because HttpMessageNotReadableException is imported but has no dedicated handler, allowing them to fall through to the catch-all Exception.class at line 152. Additionally, the XSS handler at line 239 is mislabeled with "Handles malformed JSON request exceptions" in its JavaDoc and logs "Malformed JSON request" messages, but actually handles XSS validation failures (security payloads detected during deserialization).

Suggested fix

     /**
-     * Handles malformed JSON request exceptions.
+     * Handles XSS validation exceptions.
      *
      * `@param` ex the XSS validation exception
      * `@return` ProblemDetail response with 400 status
      */
     `@ExceptionHandler`(XssValidationException.class)
     public ProblemDetail handleXssValidationException(XssValidationException ex) {
         String traceId = getOrGenerateTraceId();
-        log.warn("[TraceID: {}] Malformed JSON request: {}", traceId, ex.getMessage());
-        ProblemDetail problemDetail = ProblemDetail.forStatusAndDetail(HttpStatus.BAD_REQUEST, "Malformed JSON request. Please check your request body format.");
+        log.warn("[TraceID: {}] XSS validation failed: {}", traceId, ex.getMessage());
+        ProblemDetail problemDetail = ProblemDetail.forStatusAndDetail(HttpStatus.BAD_REQUEST, "Potentially unsafe input detected in request payload.");
         problemDetail.setProperty("traceId", traceId);
         problemDetail.setProperty("timestamp", Instant.now());
         return problemDetail;
     }
 
+    /**
+     * Handles malformed JSON request exceptions.
+     *
+     * `@param` ex the malformed JSON exception
+     * `@return` ProblemDetail response with 400 status
+     */
+    `@ExceptionHandler`(HttpMessageNotReadableException.class)
+    public ProblemDetail handleHttpMessageNotReadableException(HttpMessageNotReadableException ex) {
+        String traceId = getOrGenerateTraceId();
+        log.warn("[TraceID: {}] Malformed JSON request: {}", traceId, ex.getMessage());
+        ProblemDetail problemDetail = ProblemDetail.forStatusAndDetail(HttpStatus.BAD_REQUEST, "Malformed JSON request. Please check your request body format.");
+        problemDetail.setProperty("traceId", traceId);
+        problemDetail.setProperty("timestamp", Instant.now());
+        return problemDetail;
+    }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java` around
lines 236 - 244, The XSS handler in GlobalExceptionHandler (method
handleXssValidationException) is mislabeled/logs as handling malformed JSON;
update its JavaDoc and log message to correctly indicate it handles XSS
validation failures and keep the existing 400 ProblemDetail/traceId behavior
(use getOrGenerateTraceId and ProblemDetail as already used). Also add a new
dedicated handler method for HttpMessageNotReadableException (e.g.,
handleHttpMessageNotReadable) that generates a 400 ProblemDetail for malformed
JSON, logs a warning with the traceId and ex.getMessage(), and sets the same
"traceId" property so malformed JSON errors no longer fall through to the global
Exception handler.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java`:
- Around line 236-244: The XSS handler in GlobalExceptionHandler (method
handleXssValidationException) is mislabeled/logs as handling malformed JSON;
update its JavaDoc and log message to correctly indicate it handles XSS
validation failures and keep the existing 400 ProblemDetail/traceId behavior
(use getOrGenerateTraceId and ProblemDetail as already used). Also add a new
dedicated handler method for HttpMessageNotReadableException (e.g.,
handleHttpMessageNotReadable) that generates a 400 ProblemDetail for malformed
JSON, logs a warning with the traceId and ex.getMessage(), and sets the same
"traceId" property so malformed JSON errors no longer fall through to the global
Exception handler.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f788a403-7a45-4b9d-9c31-4d7c7c572490

📥 Commits

Reviewing files that changed from the base of the PR and between d98c82e and 5dbd0fa.

📒 Files selected for processing (2)

• CODE_OF_CONDUCT.md
• src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java

✅ Files skipped from review due to trivial changes (1)

• CODE_OF_CONDUCT.md

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java`:
- Around line 240-243: The current handler handleXssValidationException logs
attacker-controlled content by including ex.getMessage(); change the log call to
only include the traceId and a fixed message (e.g. log.warn("[TraceID: {}] XSS
validation failed", traceId)) and remove any reference to ex.getMessage() or the
exception object from logging or returned ProblemDetail so no raw payload is
persisted; keep ProblemDetail.forStatusAndDetail(...) as the visible response.
- Around line 239-247: The HttpMessageNotReadable handlers should detect wrapped
XssValidationException instances and return the same XSS-specific ProblemDetail
as the direct handler: in both handleHttpMessageNotReadable methods, inspect
ex.getMostSpecificCause() (and walk the cause chain if null) for instanceof
XssValidationException, and if found build and return a ProblemDetail with
status BAD_REQUEST, detail "XSS validation failed. Invalid content detected.",
setProperty("traceId", getOrGenerateTraceId()) and setProperty("timestamp",
Instant.now()), and log using the same traceId; otherwise preserve the existing
malformed-JSON behavior. Ensure you reference XssValidationException,
getMostSpecificCause(), handleHttpMessageNotReadable, ProblemDetail, and
getOrGenerateTraceId() so both occurrences are updated consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 605b2f04-b5c5-4e4f-8cc3-90d3e13a37b8

📥 Commits

Reviewing files that changed from the base of the PR and between 5dbd0fa and 234c387.

📒 Files selected for processing (1)

• src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java

[coderabbitai]

♻️ Duplicate comments (2)

src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java (2)

274-276: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid logging raw XSS exception messages in wrapped cause handling.

Line 276 logs currentCause.getMessage() which may contain attacker-controlled XSS payloads. Apply the same fix as the direct handler—use a fixed message with traceId only.

🛡️ Proposed fix

     if (currentCause instanceof XssValidationException) {
-        String message = currentCause.getMessage() != null ? currentCause.getMessage() : "No details provided";
-        log.warn("[TraceID: {}] XSS validation failed: {}", traceId, message);
+        log.warn("[TraceID: {}] XSS validation failed", traceId);

         ProblemDetail problemDetail = ProblemDetail.forStatusAndDetail(HttpStatus.BAD_REQUEST, "XSS validation failed. Invalid content detected.");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java` around
lines 274 - 276, In GlobalExceptionHandler, avoid logging attacker-controlled
XSS payloads by changing the wrapped-cause branch that checks "currentCause
instanceof XssValidationException" so it does not include
currentCause.getMessage() in the log; instead call log.warn with a fixed,
non-user-controlled message that includes only the traceId (similar to the
direct XSS handler). Update the log.warn invocation referencing currentCause,
XssValidationException, log.warn, and traceId to exclude the raw exception
message.

---

243-251: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid logging raw XSS exception messages.

Line 246 logs ex.getMessage() which may contain attacker-controlled payload fragments. This persists potentially malicious content in logs. Use a fixed message with traceId only.

🛡️ Proposed fix

 `@ExceptionHandler`(XssValidationException.class)
 public ProblemDetail handleXssValidationException(XssValidationException ex) {
     String traceId = getOrGenerateTraceId();
-    log.warn("[TraceID: {}] XSS validation failed: {}", traceId, ex.getMessage());
+    log.warn("[TraceID: {}] XSS validation failed", traceId);
     ProblemDetail problemDetail = ProblemDetail.forStatusAndDetail(HttpStatus.BAD_REQUEST, "XSS validation failed. Invalid content detected.");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java` around
lines 243 - 251, The handler handleXssValidationException currently logs
attacker-controlled content by including ex.getMessage(); change the logging to
avoid logging raw exception messages — for example, call log.warn("[TraceID: {}]
XSS validation failed", traceId) (or log the exception type only) and do not
append ex.getMessage() or any payload fragments; keep the ProblemDetail creation
(ProblemDetail.forStatusAndDetail and setProperty calls) as-is but ensure no
sensitive/attacker-controlled data is added to the response or logs. Use
getOrGenerateTraceId() to correlate events and, if deeper diagnostics are
needed, log full exception details only to a secure debug/audit sink, not the
standard warn log.

🧹 Nitpick comments (1)

src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java (1)

264-270: 💤 Low value

Remove unreachable null check.

Spring's @ExceptionHandler infrastructure never passes null to handler methods. This branch is dead code and adds unnecessary complexity.

♻️ Proposed fix

 `@ExceptionHandler`(HttpMessageNotReadableException.class)
 public ProblemDetail handleHttpMessageNotReadable(HttpMessageNotReadableException ex) {
     String traceId = getOrGenerateTraceId();

-    if (ex == null) {
-        log.warn("[TraceID: {}] Malformed JSON request: Unknown error (exception is null)", traceId);
-        ProblemDetail problemDetail = ProblemDetail.forStatusAndDetail(HttpStatus.BAD_REQUEST, "Malformed JSON request. Please check your request body format.");
-        problemDetail.setProperty("traceId", traceId);
-        problemDetail.setProperty("timestamp", Instant.now());
-        return problemDetail;
-    }
-
     Throwable currentCause = ex;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java` around
lines 264 - 270, Remove the unreachable null-check branch in
GlobalExceptionHandler: delete the "if (ex == null) { ... }" block that logs and
returns a ProblemDetail for a null exception; instead rely on the
ExceptionHandler method's normal flow using the non-null "ex" parameter and
create/return the ProblemDetail directly where appropriate (remove references to
the null-case traceId logging and ProblemDetail creation inside that branch).
Ensure the handler method (the one receiving "ex") still sets traceId and
timestamp properties on the ProblemDetail for malformed JSON without the dead
null-check.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java`:
- Around line 274-276: In GlobalExceptionHandler, avoid logging
attacker-controlled XSS payloads by changing the wrapped-cause branch that
checks "currentCause instanceof XssValidationException" so it does not include
currentCause.getMessage() in the log; instead call log.warn with a fixed,
non-user-controlled message that includes only the traceId (similar to the
direct XSS handler). Update the log.warn invocation referencing currentCause,
XssValidationException, log.warn, and traceId to exclude the raw exception
message.
- Around line 243-251: The handler handleXssValidationException currently logs
attacker-controlled content by including ex.getMessage(); change the logging to
avoid logging raw exception messages — for example, call log.warn("[TraceID: {}]
XSS validation failed", traceId) (or log the exception type only) and do not
append ex.getMessage() or any payload fragments; keep the ProblemDetail creation
(ProblemDetail.forStatusAndDetail and setProperty calls) as-is but ensure no
sensitive/attacker-controlled data is added to the response or logs. Use
getOrGenerateTraceId() to correlate events and, if deeper diagnostics are
needed, log full exception details only to a secure debug/audit sink, not the
standard warn log.

---

Nitpick comments:
In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java`:
- Around line 264-270: Remove the unreachable null-check branch in
GlobalExceptionHandler: delete the "if (ex == null) { ... }" block that logs and
returns a ProblemDetail for a null exception; instead rely on the
ExceptionHandler method's normal flow using the non-null "ex" parameter and
create/return the ProblemDetail directly where appropriate (remove references to
the null-case traceId logging and ProblemDetail creation inside that branch).
Ensure the handler method (the one receiving "ex") still sets traceId and
timestamp properties on the ProblemDetail for malformed JSON without the dead
null-check.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 05791b85-558d-49ee-8ce2-afb03cf22b74

📥 Commits

Reviewing files that changed from the base of the PR and between 234c387 and ef84d40.

📒 Files selected for processing (1)

• src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java`:
- Around line 279-282: The handler in GlobalExceptionHandler is currently
logging raw parser text via ex.getMessage() (seen around variables traceId and
errorMessage), which can leak attacker-controlled or sensitive request content;
change the logging to avoid including ex.getMessage() — emit a generic warning
like "Malformed JSON request: no details provided" with traceId only, and if you
need details for debugging, log the full exception at DEBUG/TRACE level or
capture a sanitized parsing error (not the raw body) via a safe helper in the
same method that strips or masks field values before logging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 46cae521-af99-4a02-ba86-23b03e79f0e7

📥 Commits

Reviewing files that changed from the base of the PR and between ef84d40 and 8e3b93b.

📒 Files selected for processing (1)

• src/main/java/io/github/og4dev/exception/GlobalExceptionHandler.java