[jira] [Created] (LIVY-895) Livy service improper error handling

["Evelyn Liang (Jira)" <ji...@apache.org>]

Evelyn Liang created LIVY-895:
---------------------------------

             Summary: Livy service improper error handling
                 Key: LIVY-895
                 URL: https://issues.apache.org/jira/browse/LIVY-895
             Project: Livy
          Issue Type: Bug
          Components: API
    Affects Versions: 0.7.0
            Reporter: Evelyn Liang
         Attachments: livy 500 sever error.rtf

Affected API: POST /sessions

Description: Application does not handle exceptions properly. When some junk character is supplied to the parameter, it causes exception and server responds with response code 500 which should not be visible to end user. It was observed that throughout the applications and APIs in scope, JSON parsers, XML parsers and the application server throws exceptions and stack traces in several cases. 

Risk:

If an attacker probes the application by forging a request that contains parameters or parameter values other than the ones expected by the application, the application may enter an undefined state that makes it vulnerable to attack. The attacker can gain useful 
information from the application's response to this request, which information may be exploited to locate application weaknesses.


Fix:
Check incoming requests for the presence of all expected parameters and values. When a parameter is missing, issue a proper error message or use default values. The application should verify that its input consists of valid characters (after decoding). For example, an input value containing the null byte (encoded as %00), apostrophe, quotes, etc. should be rejected. Enforce values in their expected ranges and types. 

Evidence:
In the attachment


 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)