Possible reflective cross site scripting in the io.dropwizard.validation.ConstraintViolations

[WarFox]

We have come across a problem in when doing JSR-303 validation, due to dropwizard ConstraintViolations adding the InvalidValue back in the message.

The following request payload,

{
   "url": "/address/<script>alert(2)</script>"
}

will result in the following error

{
"errors": [
"url must be a valid URL (was /address/<script>alert(2)</script>)"
]
}

We don't want the "was" part.

Based on the investigation we found that it is being appended in the ConstraintViolations.format() method.

public static <T> String format(ConstraintViolation<T> v) {
    if (v.getConstraintDescriptor().getAnnotation() instanceof ValidationMethod) {
        final ImmutableList<Path.Node> nodes = ImmutableList.copyOf(v.getPropertyPath());
        final ImmutableList<Path.Node> usefulNodes = nodes.subList(0, nodes.size() - 1);
        final String msg = v.getMessage().startsWith(".") ? "%s%s" : "%s %s";
        return String.format(msg,
                             Joiner.on('.').join(usefulNodes),
                             v.getMessage()).trim();
    } else {
        return String.format("%s %s (was %s)",
                             v.getPropertyPath(),
                             v.getMessage(),
                             v.getInvalidValue());
    }
}

Is there any way that we can avoid the invalidValue from being attached to the message?

If not can we have a feature switch for that?

[prb]

See also #892.

[WarFox]

The issue I reported could be rectified if the invalidValue is not printed.

Is it something that could be considered?

I don't see a point in printing out the value that was sent in the request payload.

[piefel]

Funny, I was just about to prepare a patch that used that very function to log invalid messages on the server side. On the client, it probably is not as necessary, since the client might know what it just sent.

[WarFox]

Please have a look at the pull request #1001
and advice if it is okay.