8000 update `java-errors.data` · Issue #4073 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

update java-errors.data #4073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Xhoenix opened this issue Apr 1, 2025 · 9 comments · May be fixed by #4113
Open

update java-errors.data #4073

Xhoenix opened this issue Apr 1, 2025 · 9 comments · May be fixed by #4113
Labels
response-list This list affects the responses ⚡ list update

Comments

@Xhoenix
Copy link
Member
Xhoenix commented Apr 1, 2025
edited
Loading

Source: ChatGPT

🛑 Critical Java Exceptions That May Appear in HTTP Responses

1️⃣ Java Core Exceptions

java.lang.NullPointerException
java.lang.ArrayIndexOutOfBoundsException
java.lang.StringIndexOutOfBoundsException
java.lang.IllegalArgumentException
java.lang.IllegalStateException
java.lang.ClassCastException
java.lang.UnsupportedOperationException
java.lang.NoSuchMethodException
java.lang.NoSuchFieldException
java.lang.OutOfMemoryError
java.lang.StackOverflowError
java.lang.reflect.InvocationTargetException

2️⃣ Servlet & Web Container Exceptions (Tomcat, Jetty, JBoss, WildFly, WebSphere)

javax.servlet.ServletException
javax.servlet.jsp.JspException
javax.servlet.UnavailableException
org.apache.jasper.JasperException
org.apache.catalina.LifecycleException
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper
org.apache.coyote.http11.Http11Processor

3️⃣ Spring Framework & Spring Boot Exceptions

org.springframework.web.util.NestedServletException
org.springframework.beans.factory.BeanCreationException
org.springframework.beans.factory.BeanInstantiationException
org.springframework.transaction.CannotCreateTransactionException
org.springframework.jdbc.BadSqlGrammarException
org.springframework.web.client.HttpClientErrorException
org.springframework.web.client.HttpServerErrorException
org.springframework.web.multipart.MultipartException
org.springframework.web.HttpMediaTypeNotSupportedException
org.springframework.security.access.AccessDeniedException

4️⃣ Database & Hibernate/JPA Exceptions

javax.persistence.PersistenceException
javax.persistence.EntityNotFoundException
javax.persistence.RollbackException
org.hibernate.HibernateException
org.hibernate.exception.ConstraintViolationException
org.hibernate.LazyInitializationException
org.hibernate.NonUniqueResultException
org.hibernate.QueryTimeoutException
org.hibernate.StaleStateException
org.hibernate.ObjectNotFoundException

5️⃣ RMI (Remote Method Invocation) & JNDI Exceptions

java.rmi.RemoteException
java.rmi.ServerException
javax.naming.NameNotFoundException
javax.naming.NamingException

6️⃣ Security & Authentication Exceptions

java.security.AccessControlException
javax.crypto.BadPaddingException
javax.crypto.IllegalBlockSizeException
org.springframework.security.authentication.BadCredentialsException
org.springframework.security.core.userdetails.UsernameNotFoundException

7️⃣ JSON/XML & Serialization Exceptions

com.fasterxml.jackson.core.JsonParseException
com.fasterxml.jackson.databind.JsonMappingException
javax.xml.bind.JAXBException
org.xml.sax.SAXParseException

8️⃣ Network & IO Exceptions

java.net.MalformedURLException
java.net.SocketTimeoutException
java.net.ConnectException
java.net.UnknownHostException
java.net.NoRouteToHostException
java.io.FileNotFoundException
java.io.IOException

9️⃣ REST API & HTTP Client Exceptions

org.apache.http.client.HttpResponseException
org.apache.http.client.ClientProtocolException
org.springframework.web.client.HttpClientErrorException
org.springframework.web.client.HttpServerErrorException

I think creating a new rule with a regex assembly file like the following will be better(feel free to improve the regex)

     java[a-zA-Z\.]+Exception
     java[a-zA-Z\.]+Error
     org\.apache[a-zA-Z\.]+Exception
     org\.springframework[a-zA-Z\.]+Exception
     org\.xml[a-zA-Z\.]+Exception

Another way is to block responses containing package names like java.lang, javax.servlet, org.springframework, org.hibernate, etc.

Note: These LLMs provide disclaimer that the provided info can be wrong, so any suggestions are welcome. 😄

Disclaimer: This ain't an April Fool's joke. 😅
@theseion
Copy link
Contributor
theseion commented Apr 1, 2025

We already have a java-errors.data file that contains some of those exceptions. Why not extend that (952110)?

Ultimately, there's no "correct" list of exceptions to detect, but I think it's a good idea to extend the list. Id be careful with some of the HTTP related exceptions though. In badly configured environments those could be part of genuine error responses that we wouldn't want to block at PL 1.

@Xhoenix
8000 Copy link
Member Author
Xhoenix commented Apr 1, 2025

This is about updating java-errors.data or creating a new rule, but as you mentioned we can instead extend rule 952110 instead(which I think is better), this needs to discussed whether we get rid of the java-errors.data and use regex instead in 952110 OR we add all the above errors to java-errors.data.

@Xhoenix Xhoenix added ⚡ list update response-list This list affects the responses and removed 👍 Feature Request labels Apr 1, 2025
@Xhoenix
Copy link
Member Author
Xhoenix commented Apr 2, 2025

Any updates on this, or should I add this to the Meeting Agenda?

@theseion
Copy link
Contributor
theseion commented Apr 3, 2025

I like your idea of using regexes. Instead of having to maintain a huge list, we can break it down to a couple of simple patterns. And, as you say, that would also allow us to block packages easily. Can you prepare a draft PR that we could discuss in the chat?

@S0obi
Copy link
Contributor
S0obi commented Apr 11, 2025
edited
Loading

@Xhoenix, just to let you know, there is an existing issue about this : #2653

@Xhoenix
Copy link
Member Author
Xhoenix commented Apr 12, 2025

This issues is for creating a PR with the provided data. Once a decision is made whether we should use regex or pmFromFile, it's very easy for anyone to implement a PR that'll close both issues.

@Xhoenix Xhoenix mentioned this issue Apr 16, 2025
Open
@theseion
Copy link
Contributor
theseion commented May 3, 2025

@Xhoenix did you get around to creating that PR?

@Xhoenix
Copy link
Member Author
Xhoenix commented May 3, 2025

This issues is for creating a PR with the provided data. Once a decision is made whether we should use regex or pmFromFile, it's very easy for anyone to implement a PR that'll close both issues.

@theseion I'm waiting for a decision to be made on this.

@theseion
Copy link
Contributor
theseion 73B0 commented May 3, 2025

I understand. As I wrote above, I believe a draft PR would help the discussion, since people would see how it could look in the future.

@Xhoenix Xhoenix linked a pull request May 4, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
response-list This list affects the responses ⚡ list update
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: update java-errors.data Xhoenix/coreruleset
3 participants
@theseion @S0obi @Xhoenix
0