Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#533 closed defect (fixed)

null pointer exception

Reported by: Olaf Seibert 1 Owned by:
Priority: minor Milestone: DASISH backend
Component: DASISH backend Version:
Keywords: Cc: olhsha

Description

I did this:

POST https://lux16.mpi.nl/ds/webannotator/api/annotations

with this body:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<annotation xmlns="http://www.dasish.eu/ns/addit">
    <headline>    This is some text on the same line. </headline>
    <lastModified>2013-11-11T15:07:33Z</lastModified>
    <body>
        <xmlBody>
            <mimeType>text/xml</mimeType>
            <ColTime xmlns:ns2="http://www.dasish.eu/ns/addit" xmlns="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ColTimeMessageID="20165e20-ae94-4eeb-9d5f-b4785a238ee2" noNamespaceSchemaLocation="http://www.mpi.nl/tools/elan/comments.xsd">
                <Metadata>
                    <Initials>AB</Initials>
                    <Sender>me@here.now</Sender>
                    <Recipient>me@here.now</Recipient>
                    <CreationDate>2013-11-11T15:07:33Z</CreationDate>
                    <ModificationDate>2014-04-17T16:21:47Z</ModificationDate>
                    <Category>unknown</Category>
                    <Status>unknown</Status>
                </Metadata>
                <MediaFile ColTimeID="dc69b390-5edf-46fd-b326-8c120651675b"/>
                <AnnotationFile ColTimeID="ddab97c6-6e01-48fa-9156-879da20237c2" type="EAF">urn:nl-mpi-tools-elan-eaf:59d08e6a-5cd9-4aed-8aa4-7074c270e635#t=0.000/0.500</AnnotationFile>
                <Message>    This is some text on the same line.   It has leading and trailing spaces.      </Message>
            </ColTime>
        </xmlBody>
    </body>
    <targets>
        <targetInfo ref="urn:nl-mpi-tools-elan-eaf:59d08e6a-5cd9-4aed-8aa4-7074c270e635">
            <link></link>
            <version></version>
        </targetInfo>
    </targets>
</annotation>

which resulted in this:

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error ({0}) that prevented it from fulfilling this request.

exception

java.lang.NullPointerException
	eu.dasish.annotation.backend.dao.impl.DBIntegrityServiceImlp.addPrincipalsAnnotation(DBIntegrityServiceImlp.java:675)
	eu.dasish.annotation.backend.rest.AnnotationResource.createAnnotation(AnnotationResource.java:239)
	sun.reflect.GeneratedMethodAccessor381.invoke(Unknown Source)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:606)
	com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
	com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
	com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
	com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
	com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
	com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
	com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
	com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
	com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
	com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
	com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
	com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
	com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
	com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

And if one looks at the location of the exception:

./src/main/java/eu/dasish/annotation/backend/dao/impl/DBIntegrityServiceImlp.java:

671     @Override
672     public Number addPrincipalsAnnotation(Number ownerID, Annotation annotation) throws NotInDataBaseException {
673         Number annotationID = annotationDao.addAnnotation(annotation, ownerID);
674         int affectedAnnotRows = this.addTargets(annotation, annotationID);
675         int addedPrincipalsAccesss = this.addPermissions(annotation.getPermissions().getPermission(),
annotationID); // <<<-----
676         int updatedPublic = annotationDao.updatePublicAttribute(annotationID,
annotation.getPermissions().getPublic());
677         return annotationID;
678     }

Indeed, I did not include permissions.

Maybe, if permissions are not included, it is useful to assign some default permissions?

(Oh, and I see now that the class is called ...Imlp instead of ...Impl)

Attachments (1)

olaf-elan2.xml (2.1 KB) - added by olhsha@mpi.nl 10 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 10 years ago by DefaultCC Plugin

Cc: olhsha added

Changed 10 years ago by olhsha@mpi.nl

Attachment: olaf-elan2.xml added

comment:2 Changed 10 years ago by olhsha@mpi.nl

Je xml is niet correct. Eerst voeg de schema etc als attributen van de annotatie toe:

xmlns="http://www.dasish.eu/ns/addit
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation="http://www.dasish.eu/ns/addit https://svn.clarin.eu/DASISH/t5.6/schema/trunk/annotator-schema/src/main/resources/DASISH-schema.xsd

Daarna krijg je drie volgende fouten te zien:

— ownerRef attribute (required) is gemist (voeg een tijdelijke)
— URI attribute (required) is gemist (voeg een tijdelijke)
— permissions zijn ook.

Zie de bijlage voor de gecorregeerde xml. Pas op: elke targetRef die niet door de backend gedefineerd is, wordt als nieuwe en tijdelijk geinterpreteerd en wordt door de "peristent" DB-ref vervangen.

Gr.
Olha

comment:3 Changed 10 years ago by olhsha@mpi.nl

Resolution: fixed
Status: newclosed

comment:4 Changed 10 years ago by Olaf Seibert 1

I agree that I should try to send better XML to the server.

However, from the viewpoints of security, safety and reliability, a
server should *never* crash because of the input it gets. Clients may be
simply buggy or even malicious, and the server should refuse service
gracefully with an error message, not null pointer exceptions or SQL
errors. It should simply never get that far.

If such problems can (partly) be avoided by validating the XML, the
server should validate the XML.

(Warning: the rant below is because of frustration with the way the
usual Java libraries handle validation as I understand it (I still hope
I have misunderstood it!). The problem is there because of the way the libraries work,
not through some defect in the server code. But it really should be handled better
somehow. I have not found a good enough solution for
this yet, just a partial one)

If the validation on the server side depends on the presence and correctness of
something like

<annotation xsi:schemaLocation="http://something/some-schema.xsd">

and isn't done if it is not present, then this is the completely wrong
way to go about it!

If you don't trust the input (and you shouldn't), then of course you
should certainly even less trust the input to tell you how to validate
itself!

If there is some XML that will crash the server, I as an attacker can easily send such
XML including a reference to a schema that says that my XML is perfectly ok.

In fact, if the validator just fetches the given URL in the hopes to
find a schema there, this could be considered a security problem. The
given URL could point to something malicious.

Even if the URL is the right one and it does give you the correct
schema, why do a network access every time a client request comes in?
Surely it would be more efficient to have the schema available locally.
Preferably pre-compiled if possible.

What I have tried in ELAN to at least avoid the network access is the
following. I don't know how or if this would fit in with the JAXB
(un)marshalling. And I think it still doesn't really do the validation
of there is no reference to a schema at all.

		private XMLReader reader;

	        reader = XMLReaderFactory.createXMLReader(
	        	"org.apache.xerces.parsers.SAXParser");
	        // This works to make sure the schema isn't fetched from the web but from here:
        	reader.setEntityResolver(new EAF28Parser.EAFResolver());

    /**
     * @see {@link http://www.saxproject.org/apidoc/org/xml/sax/EntityResolver.html}
     * @author olasei
     */
    public static class EAFResolver implements EntityResolver {
    	@Override
		public InputSource resolveEntity (String publicId, String systemId)
    	{
    		InputStream stream = null;
    		String resource = null;
    		
    		if (systemId.equals("http://www.mpi.nl/tools/elan/EAFv2.8.xsd")) {
    			resource = "/mpi/eudico/resources/EAFv2.8.xsd";
    		} else ...

    		if (resource != null) {
    			// return a special input source
    			try {
    				stream = this.getClass().getResource(resource).openStream();
        			Reader reader = new InputStreamReader(stream);
        			return new InputSource(reader);
    			} catch (IOException e) {
    				e.printStackTrace();
    			}
    		}
    		// use the default behaviour
    		return null;
    	}
    }

comment:5 Changed 10 years ago by olhsha@mpi.nl

We have planned to add xml-validation on server side, as Menzo suggested https://trac.clarin.eu/browser/ComponentRegistry/trunk/CMDValidate/src/main/java/clarin/cmdi/schema/cmd/Validator.java
, and may be it will fix the problems. I have not just had time to implement it.

I will have at look at this later after I'm "done" with refactoring since the validation issue is becoming urgent.

Note: See TracTickets for help on using tickets.