SEAB-7157: Fix TRS 500 #6121

svonworl · 2025-06-07T00:42:34Z

Description
Recently, we observed some 500s that are caused by some TRS path/url processing code going sideways because the original request was doubly-URL-encoded. For example, consider the request from the ticket:

GET /ga4gh/trs/v2/tools/quay.io%252Fcollaboratory%252Fdockstore-tool-bedtools-genomecov/versions/0.3/CWL/descriptor/Dockerfile

The above triggers the 500 at this line

dockstore/dockstore-webservice/src/main/java/io/openapi/api/impl/ToolsApiServiceImpl.java

Line 820 in 48ff1a9

    
           return url + selfPath.split(URLEncoder.encode(entry, StandardCharsets.UTF_8))[1];

because the string to be split and the split separator string don't match because one is doubly-encoded.

However, the proper singly-URL-encoded request:

GET /ga4gh/trs/v2/tools/quay.io%2Fcollaboratory%2Fdockstore-tool-bedtools-genomecov/versions/0.3/CWL/descriptor/Dockerfile

works fine.

In this PR, we modify the malfunctioning function, so that if the split doesn't work, we return a NOT_FOUND response. IMHO, this is reasonable, because due to the double encoding, the file path is nonsensical, despite the fact that, somehow, the code successfully got to this spot.

Review Instructions
The singly-encoded request should succeed.

The doubly-encoded request should fail with a 404.

Issue
https://ucsc-cgl.atlassian.net/browse/SEAB-7157

Security and Privacy

If there are any concerns that require extra attention from the security team, highlight them here and check the box when complete.

Security and Privacy assessed

e.g. Does this change...

Any user data we collect, or data location?
Access control, authentication or authorization?
Encryption features?

Please make sure that you've checked the following before submitting your pull request. Thanks!

Check that you pass the basic style checks and unit tests by running mvn clean install
Ensure that the PR targets the correct branch. Check the milestone or fix version of the ticket.
Follow the existing JPA patterns for queries, using named parameters, to avoid SQL injection
If you are changing dependencies, check the Snyk status check or the dashboard to ensure you are not introducing new high/critical vulnerabilities
Assume that inputs to the API can be malicious, and sanitize and/or check for Denial of Service type values, e.g., massive sizes
Do not serve user-uploaded binary images through the Dockstore API
Ensure that endpoints that only allow privileged access enforce that with the @RolesAllowed annotation
Do not create cookies, although this may change in the future
If this PR is for a user-facing feature, create and link a documentation ticket for this feature (usually in the same milestone as the linked issue). Style points if you create a documentation PR directly and link that instead.

codecov · 2025-06-07T01:07:09Z

Codecov Report

Attention: Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 74.18%. Comparing base (eaf6245) to head (66f19a2).
Report is 2 commits behind head on hotfix/1.17.1.

Files with missing lines	Patch %	Lines
.../java/io/openapi/api/impl/ToolsApiServiceImpl.java	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##             hotfix/1.17.1    #6121      +/-   ##
===================================================
- Coverage            74.22%   74.18%   -0.05%     
+ Complexity            5663     5660       -3     
===================================================
  Files                  389      389              
  Lines                20329    20332       +3     
  Branches              2100     2101       +1     
===================================================
- Hits                 15090    15083       -7     
- Misses                4237     4246       +9     
- Partials              1002     1003       +1

Flag	Coverage Δ
bitbuckettests	`25.93% <50.00%> (-0.01%)`	⬇️
hoverflytests	`27.62% <0.00%> (-0.01%)`	⬇️
integrationtests	`56.08% <50.00%> (-0.01%)`	⬇️
languageparsingtests	`10.83% <50.00%> (+<0.01%)`	⬆️
localstacktests	`21.34% <0.00%> (-0.01%)`	⬇️
regressionintegrationtests	`?`
toolintegrationtests	`29.90% <50.00%> (+<0.01%)`	⬆️
unit-tests_and_non-confidential-tests	`26.31% <0.00%> (-0.01%)`	⬇️
workflowintegrationtests	`37.36% <50.00%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

denis-yuen · 2025-06-09T14:36:29Z

dockstore-webservice/src/main/java/io/openapi/api/impl/ToolsApiServiceImpl.java

-        return url + selfPath.split(URLEncoder.encode(entry, StandardCharsets.UTF_8))[1];
+        String[] splitPath = selfPath.split(URLEncoder.encode(entry, StandardCharsets.UTF_8));
+        if (splitPath.length < 2) {
+            throw new CustomWebApplicationException("not found", HttpStatus.SC_NOT_FOUND);


a longer message or unique code may be useful for debugging for users who do double-encode

denis-yuen · 2025-06-09T14:37:52Z

dockstore-webservice/src/main/java/io/openapi/api/impl/ToolsApiServiceImpl.java

@@ -817,7 +817,11 @@ private Response getFileByToolVersionID(String registryId, String versionIdParam
     */
    private static String computeURLFromEntryAndRequestURI(String entry, String selfPath) {
        String url = ToolsImplCommon.getUrlFromId(config, entry);
-        return url + selfPath.split(URLEncoder.encode(entry, StandardCharsets.UTF_8))[1];
+        String[] splitPath = selfPath.split(URLEncoder.encode(entry, StandardCharsets.UTF_8));


allergies messing with me, but it took me too long to realize that this was string splitting based on the encoded id itself
i.e. this gets you a split array with the first part of the url in the 0th index and any query parameters or other stuff that follows the ID in the second part

sonarqubecloud · 2025-06-09T18:10:26Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
66.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

fix 500

9a1fa7c

svonworl changed the base branch from develop to hotfix/1.17.1 June 7, 2025 00:45

svonworl self-assigned this Jun 7, 2025

svonworl requested review from denis-yuen and kathy-t June 7, 2025 00:53

denis-yuen approved these changes Jun 9, 2025

View reviewed changes

kathy-t approved these changes Jun 9, 2025

View reviewed changes

tweak error message

66f19a2

svonworl merged commit 5e24f6c into hotfix/1.17.1 Jun 10, 2025
22 of 24 checks passed

svonworl deleted the feature/seab-7157/fix-trs-500s branch June 10, 2025 05:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SEAB-7157: Fix TRS 500 #6121

SEAB-7157: Fix TRS 500 #6121

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

SEAB-7157: Fix TRS 500 #6121

SEAB-7157: Fix TRS 500 #6121

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Quality Gate passed

Uh oh!

Uh oh!

Uh oh!