You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In DSpace 7.6.1, when the "scope" parameter for an OpenSearch request is a validly-formatted UUID, but not a UUID of a community or collection, the system displays a "Whitelabel Error Page" and a NullPointerException in the log:
dspace | 2024-04-16 13:09:05,204 INFO unknown 8dd50468-9221-45fc-b27d-d65f7ed8acbb org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/opensearch/search] originated from unknown
dspace | 2024-04-16 13:09:05,221 ERROR unknown 8dd50468-9221-45fc-b27d-d65f7ed8acbb org.dspace.app.rest.exception.DSpaceApiExceptionControllerAdvice @ An exception has occurred (status:500)
dspace | java.lang.NullPointerException: null
dspace | at org.dspace.discovery.indexobject.IndexableDSpaceObject.getID(IndexableDSpaceObject.java:40) ~[dspace-api-7.6.1.jar:7.6.1]
dspace | at org.dspace.discovery.indexobject.IndexableDSpaceObject.getID(IndexableDSpaceObject.java:20) ~[dspace-api-7.6.1.jar:7.6.1]
dspace | at org.dspace.discovery.SolrServiceImpl.search(SolrServiceImpl.java:747) ~[dspace-api-7.6.1.jar:7.6.1]
dspace | at org.dspace.app.rest.OpenSearchController.search(OpenSearchController.java:190) ~[classes/:7.6.1]
...
To Reproduce
Note: It does not appear to possible to trigger this error directly through the GUI, as only "community" and "collection" scopes are used in the "Syndication Feed" button.
On our production system, however, we have seen badly-behaved crawlers make thousands of requests an hour to the OpenSearch endpoint with valid UUIDs that do not correspond to communities or collections.
Steps to Reproduce:
The OpenSearch endpoint can be accessed via a URL of the form:
A valid UUID, not associated with a collection or community, can be generated using the the following "jshell" command (assuming a JDK v9 or later) is installed:
Note: This URL corresponds to an OpenSearch URL (available from the "Syndication Feed" button on any community or collection), with the UUID replaced "b68f0d1c-7316-41dc-835d-46b79b35642e", which is valid, but does not correspond to a community or collection.
A "Whitelabel Error Page" will be displayed.
Alternatively, instead of using a web browser, run the following curl command:
{"timestamp":"2024-04-16T12:35:00.845+00:00","status":500,"error":"Internal Server Error","message":"An exception has occurred","path":"/server/opensearch/search"}
In the DSpace log, an error similar to the above should be displayed.
Expected behavior
Somewhat unclear what the correct behavior should be, but a "Whitelabel Error Page"/HTTP Status 500 error is not optimal, especially as badly behaved crawlers can generate thousands of such requests an hour, with a large stack trace ending up each time in the log.
One possibility is to treat this situation the same as a completely invalid UUID (one that throws an "IllegalArgumentException" when passed to "java.util.UUID.fromString(String name)"), in which case an "unscoped" OpenSearch result is returned.
Describe the bug
In DSpace 7.6.1, when the "scope" parameter for an OpenSearch request is a validly-formatted UUID, but not a UUID of a community or collection, the system displays a "Whitelabel Error Page" and a NullPointerException in the log:
To Reproduce
Note: It does not appear to possible to trigger this error directly through the GUI, as only "community" and "collection" scopes are used in the "Syndication Feed" button.
On our production system, however, we have seen badly-behaved crawlers make thousands of requests an hour to the OpenSearch endpoint with valid UUIDs that do not correspond to communities or collections.
Steps to Reproduce:
The OpenSearch endpoint can be accessed via a URL of the form:
where <UUID> is the UUID.
A valid UUID, not associated with a collection or community, can be generated using the the following "jshell" command (assuming a JDK v9 or later) is installed:
The following steps will use a UUID of "b68f0d1c-7316-41dc-835d-46b79b35642e".
This issue can be reproduced on https://demo.dspace.org/ as follows:
In a web browser, go to
https://demo.dspace.org/server/opensearch/search?format=atom&scope=b68f0d1c-7316-41dc-835d-46b79b35642e&query=*
Note: This URL corresponds to an OpenSearch URL (available from the "Syndication Feed" button on any community or collection), with the UUID replaced "b68f0d1c-7316-41dc-835d-46b79b35642e", which is valid, but does not correspond to a community or collection.
A "Whitelabel Error Page" will be displayed.
Alternatively, instead of using a web browser, run the following curl command:
This will return the following error:
In the DSpace log, an error similar to the above should be displayed.
Expected behavior
Somewhat unclear what the correct behavior should be, but a "Whitelabel Error Page"/HTTP Status 500 error is not optimal, especially as badly behaved crawlers can generate thousands of such requests an hour, with a large stack trace ending up each time in the log.
One possibility is to treat this situation the same as a completely invalid UUID (one that throws an "IllegalArgumentException" when passed to "java.util.UUID.fromString(String name)"), in which case an "unscoped" OpenSearch result is returned.
Related work
#9482
The text was updated successfully, but these errors were encountered: