ERROR 400 Ambiguous URI path separator

[ybelMekk]

Current Behavior

In my test environment, I set up a Docker Compose file with Dependency-Track version 4.12.0.

In production, we are currently running version 4.11.7, and the endpoint described below works without issues, both in production and the test environment.

We make extensive use of tags, especially prior to the introduction of the new tag feature, so it's fair to say that we overuse the /project/tag endpoint.

In the latest version, however, I'm unable to query tags because I receive a ERROR 400 Ambiguous URI path separator when a request query includes a tag that contains a forward slash /.

Were there any changes in the latest release regarding the handling of UTF-8 encoded query strings? Specifically, is there now any support for queries with slashes in tags?

Steps to Reproduce

1. Any query escaped string containing a slash to endpoint /project/tag`.

For example:

curl -X 'GET' \
  'http://localhost:9010/api/v1/project/tag/project%3Aeurope-north1-docker.pkg.dev%2Fmy-p?pageNumber=1&pageSize=100' \
  -H 'accept: application/json' \
  -H 'X-Api-Key: my-key'

Expected Behavior

Return all projects with that tag.

Dependency-Track Version

4.12.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15

Browser

Other

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

Appears to be caused by a behavior change in Jetty: jetty/jetty.project#12162

[ybelMekk]

Thanks for quick feedback @nscuro .

[nscuro]

There seem to be ways to make it behave like before, I'll ensure we ship a fix with the next bugfix release.

[janweinkauff]

We’re experiencing the same issue and are looking forward to the fix. 🚀

[nscuro]

Just waiting for an Alpine release so we can pull the fix in. Will release v4.12.1 immediately afterwards, it's ready otherwise.

[Yingrjimsch]

I have a self hosted dependencytrack instance where I call the endpoint api/v1/badge/violations/project/PROJECT_NAME/latest?apiKey=API_KEY where PROJECT_NAME is url encoded: test%20%2Fproject. I'm still encountering an issue and in the logs it looks like a jetty problem. Can someone help with that?

2024-10-28 13:43:54,793 ERROR [ServerRuntime$Responder] An I/O error has occurred while writing a response message entity to the container output stream.
org.glassfish.jersey.server.internal.process.MappableException: org.eclipse.jetty.io.EofException
        at org.glassfish.jersey.server.internal.MappableExceptionWrapperInterceptor.aroundWriteTo(MappableExceptionWrapperInterceptor.java:67)
        at org.glassfish.jersey.message.internal.WriterInterceptorExecutor.proceed(WriterInterceptorExecutor.java:139)
        at org.glassfish.jersey.message.internal.MessageBodyFactory.writeTo(MessageBodyFactory.java:1116)
        at org.glassfish.jersey.server.ServerRuntime$Responder.writeResponse(ServerRuntime.java:691)
        at org.glassfish.jersey.server.ServerRuntime$Responder.processResponse(ServerRuntime.java:398)
        at org.glassfish.jersey.server.ServerRuntime$Responder.process(ServerRuntime.java:388)
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
        at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
        at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
        at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
        at org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
        at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1614)
        at alpine.server.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:225)
        at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
        at alpine.server.filters.ClickjackingFilter.doFilter(ClickjackingFilter.java:93)
        at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
        at alpine.server.filters.WhitelistUrlFilter.doFilter(WhitelistUrlFilter.java:166)
        at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586)
        at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1547)
        at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:824)
        at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436)
        at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:464)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
        at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
        at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1060)
        at org.eclipse.jetty.server.Server.handle(Server.java:182)
        at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
        at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:414)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
        at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:478)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:441)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.eclipse.jetty.io.EofException: null
        at org.eclipse.jetty.io.SocketChannelEndPoint.flush(SocketChannelEndPoint.java:117)
        at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:422)
        at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:377)
        at org.eclipse.jetty.io.SelectableChannelEndPoint$2.run(SelectableChannelEndPoint.java:67)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:478)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:426)
        ... 7 common frames omitted
Caused by: java.io.IOException: Broken pipe
        at java.base/sun.nio.ch.SocketDispatcher.writev0(Native Method)
        at java.base/sun.nio.ch.SocketDispatcher.writev(Unknown Source)
        at java.base/sun.nio.ch.IOUtil.write(Unknown Source)
        at java.base/sun.nio.ch.IOUtil.write(Unknown Source)
        at java.base/sun.nio.ch.SocketChannelImpl.write(Unknown Source)
        at java.base/java.nio.channels.SocketChannel.write(Unknown Source)
        at org.eclipse.jetty.io.SocketChannelEndPoint.flush(SocketChannelEndPoint.java:111)
        ... 12 common frames omitted

[nscuro]

@Yingrjimsch That is a different issue. org.eclipse.jetty.io.EofException basically means the client abandoned the connection before the server could send the complete response. Is that log always appearing when you request a badge?

[Yingrjimsch]

@Yingrjimsch That is a different issue. org.eclipse.jetty.io.EofException basically means the client abandoned the connection before the server could send the complete response. Is that log always appearing when you request a badge?

No, if I request a badge through the project ID there is no problem
Edit: My workflow requires requesting the badge throug name because the name is derivated from the git repo.
Do you know what the problem could be?
@nscuro any ideas, why this happens?

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.