Do not expose SQL exceptions to frontend

- Catch all sql exceptions, print their stacktrace, and then return a generic 500 error instead.
cBioPortal · Sep 10, 2020 · d87af48 · d87af48
1 parent d301429
commit d87af48
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/web/src/main/java/org/cbioportal/web/error/GlobalExceptionHandler.java b/web/src/main/java/org/cbioportal/web/error/GlobalExceptionHandler.java
@@ -5,6 +5,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.jdbc.BadSqlGrammarException;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.validation.FieldError;
 import org.springframework.web.bind.MethodArgumentNotValidException;
@@ -181,4 +182,13 @@ public ResponseEntity<ErrorResponse> handleResourceDefinitionNotFound(ResourceDe
         return new ResponseEntity<>(new ErrorResponse("Resource not found: " + ex.getResourceId()),
                 HttpStatus.NOT_FOUND);
     }
+
+    @ExceptionHandler(BadSqlGrammarException.class)
+    public ResponseEntity<ErrorResponse> handleBadSqlGrammar(BadSqlGrammarException ex) {
+        ex.printStackTrace(); // we still want this to show up in the logs
+        return new ResponseEntity<>(
+            new ErrorResponse("SQL exception. If you are a maintainer of this instance, see logs for details."),
+            HttpStatus.INTERNAL_SERVER_ERROR
+        );
+    }
 }