COMP-1146 Fix error messages

[munishchouhan]

Summary

• Sanitize error messages for unknown/unexpected exceptions to strip internal class names, Jackson deserialization details, stack traces, and reflected user input (XSS vectors) before sending to clients
• Add sanitizeErrorMessage() to ErrorHandler that preserves useful error context while stripping patterns like fully qualified class names (io.seqera.wave.*), [Source: ...] references, (through reference chain: ...), and
  quoted user input reflection
• In debug mode, the original unsanitized error is returned for troubleshooting; in production, the sanitized message is returned with an Error ID for log correlation
• Move Error ID generation into the unknown-exception branch only (known WaveException/HttpStatusException are unaffected)

Test plan

• Integration test: invalid enum value does not expose internal class names
• Integration test: XSS payload in request value is not reflected in response
• Integration test: malformed JSON does not expose Jackson internals
• Unit test: sanitizeErrorMessage handles null, empty, class names, source references, reference chains, and quoted user input

[pditommaso]

Can be added more explicit examples, both the PR description and test, the message before and after the sanitisation ?

[munishchouhan]

Can be added more explicit examples, both the PR description and test, the message before and after the sanitisation ?

done

[munishchouhan]

@pditommaso @ramonamela Now this PR has minimal changes, please review
Here is the example

Before change:

    -H 'Content-Type: application/json' \
    -d '{
      "packages": {
        "type": "CRANxkhg3<script>alert(1)</script>pentest",
        "entries": ["dplyr"]
      },
      "format": "docker",
      "containerPlatform": "linux/amd64"
    }' | jq .

{
  "message": "Failed to convert argument [req] for value [null] due to: Cannot deserialize value of type `io.seqera.wave.api.PackagesSpec$Type` from String \"CRANxkhg3<script>alert(1)</script>pentest\": not one of the values accepted for Enum class: [CRAN, CONDA]\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 3, column: 17] (through reference chain: io.seqera.wave.api.SubmitContainerTokenRequest[\"packages\"]->io.seqera.wave.api.PackagesSpec[\"type\"]) - Error ID: 4406c4088081"
}

After the change:

 ~ %  curl -s -X POST http://localhost:9090/v1alpha2/container \
    -H 'Content-Type: application/json' \
    -d '{
      "packages": {
        "type": "CRANxkhg3<script>alert(1)</script>pentest",
        "entries": ["dplyr"]
      },
      "format": "docker",
      "containerPlatform": "linux/amd64"
    }' | jq .

{
  "message": "Oops... Unable to process request - Error ID: e14c432dd1e8"

[pditommaso]

So this change

Failed to convert argument [req] for value [null] due to: Cannot deserialize value of type .. etc 

into

Oops... Unable to process request - Error ID: e14c432dd1e8

Making the error message completely obscure ?

[munishchouhan]

Making the error message completely obscure?

Now I have added sanitization with common patterns and added tests too

Here is the example:

before:

%  curl -s -X POST http://localhost:9090/v1alpha2/container \
    -H 'Content-Type: application/json' \
    -d '{
      "packages": {
        "type": "CRANxkhg3<script>alert(1)</script>pentest",
        "entries": ["dplyr"]
      },
      "format": "docker",
      "containerPlatform": "linux/amd64"
    }' | jq .

{
  "message": "Failed to convert argument [req] for value [null] due to: Cannot deserialize value of type `io.seqera.wave.api.PackagesSpec$Type` from String \"CRANxkhg3<script>alert(1)</script>pentest\": not one of the values accepted for Enum class: [CRAN, CONDA]\n at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 3, column: 17] (through reference chain: io.seqera.wave.api.SubmitContainerTokenRequest[\"packages\"]->io.seqera.wave.api.PackagesSpec[\"type\"]) - Error ID: 4406c4088081"

after

%  curl -s -X POST http://localhost:9090/v1alpha2/container \
    -H 'Content-Type: application/json' \
    -d '{
      "packages": {
        "type": "CRANxkhg3<script>alert(1)</script>pentest",
        "entries": ["dplyr"]
      },
      "format": "docker",
      "containerPlatform": "linux/amd64"
    }' | jq .

{
  "message": "Failed to convert argument [req] for value [null] due to: Cannot deserialize value of type from String \"CRANxkhg3<script>alert(1)</script>pentest\": not one of the values accepted for Enum class: [CRAN, CONDA] - Error ID: b248864d1e64"

[pditommaso]

I understand the intent however I think we should try to mitigate well know vulnerabilities e.g. stripping <script> tags and preserve the message as much as possible. Also it may be better to replace the "sensitive" data with [...] or something similar to give a clue to who is troubleshooting

[munishchouhan]

@pditommaso I have made the changes. Here are examples

~ %   curl -s -X POST http://localhost:9090/v1alpha2/container -H 'Content-Type: application/json' -d '{"packages": {"type": "INVALID_TYPE"}, "format": "docker", "containerPlatform": "linux/amd64"}' | jq .
{
  "message": "Cannot deserialize value of type not one of the values accepted for Enum class: [CRAN, CONDA] - Error ID: f72c05b6ca8c"
}

 ~ %   curl -s -X POST http://localhost:9090/v1alpha2/container -H 'Content-Type: application/json' -d '{"packages": {"type": "CRANxkhg3<script>alert(1)</script>pentest", "entries": ["dplyr"]}, "format": "docker", "containerPlatform":
  "linux/amd64"}' | jq .
{
  "message": "Cannot deserialize value of type not one of the values accepted for Enum class: [CRAN, CONDA] - Error ID: 8e541a4ad340"
}

 ~ %  curl -s -X POST http://localhost:9090/v1alpha2/container -H 'Content-Type: application/json' -d '{"packages": {"type": }' | jq .
{
  "message": "Unexpected character ('}' (code 125)): expected a value - Error ID: 525174756712"
}

~ %   curl -s -X POST http://localhost:9090/v1alpha2/container -H 'Content-Type: application/json' -d '{"packages": {"type": "<img onerror=alert(1) src=x>"}, "format": "docker", "containerPlatform": "linux/amd64"}' | jq .

{
  "message": "Cannot deserialize value of type not one of the values accepted for Enum class: [CRAN, CONDA] - Error ID: 30a1ff5ea0f5"
}

[pditommaso]

is it really need to hide class names?

[munishchouhan]

is it really need to hide class names?

I think since Wave is open source, we can show it as it is not sensitive, I will make the changes

[munishchouhan]

done

~ %   curl -s -X POST http://localhost:9090/v1alpha2/container -H 'Content-Type: application/json' -d '{"packages": {"type": "INVALID_TYPE"}, "format": "docker", "containerPlatform": "linux/amd64"}' | jq .

{
  "message": "Cannot deserialize value of type `io.seqera.wave.api.PackagesSpec$Type` not one of the values accepted for Enum class: [CRAN, CONDA] - Error ID: 7c38009c9f87"
}

[pditommaso]

You may want to consider this, otherwise ok

QUOTED_INPUT pattern may over-match - from String ".?":?\s could strip content from non-Jackson errors that happen to contain from String ". Low risk but worth noting.