EZP-31298: Made non verbose exception messages in REST responses

[webhdx]

Question	Answer
JIRA issue	EZP-31298
Bug	yes
New feature	no
Target version	7.5
BC breaks	no
Tests pass	yes
Doc needed	no

This PR hides potentially sensitive data that could be leaked on REST exceptions.

TODO:

• Implement feature / fix a bug.
• Implement tests.
• Fix new code according to Coding Standards ($ composer fix-cs).
• Ask for Code Review.

[webhdx]

Added one small change - it will use proper error message for all "safe" errors like unauthorized, not found etc. Technical errors (>=500) are using generic "an error occured" message when not in debug mode.

ping @micszo ready for a retest

[glye]

Do you have samples of what the "safe" errors look like now? The 4xx errors are interesting, do they give you any details other than for example HTTP 401 Unauthorised?

[micszo]

400:

<?xml version="1.0" encoding="UTF-8"?>
<ErrorMessage media-type="application/vnd.ez.api.ErrorMessage+xml">
    <errorCode>400</errorCode>
    <errorMessage>Bad Request</errorMessage>
    <errorDescription>Detected errors in input XML:
 - In line 4 character 24: expected '&gt;'


In XML: 

&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;ContentTypeGroupInput&gt;
    &lt;identifier&gt;newContentTypeGroup3&lt;/identifier&gt;
&lt;/ContentTypeGroupInput</errorDescription>
</ErrorMessage>

401:

<?xml version="1.0" encoding="UTF-8"?>
<ErrorMessage media-type="application/vnd.ez.api.ErrorMessage+xml">
    <errorCode>401</errorCode>
    <errorMessage>Unauthorized</errorMessage>
    <errorDescription>User does not have access to 'POST /api/ezp/v2/content/typegroups' 'Missing or invalid CSRF token'</errorDescription>
</ErrorMessage>

403:

<?xml version="1.0" encoding="UTF-8"?>
<ErrorMessage media-type="application/vnd.ez.api.ErrorMessage+xml">
    <errorCode>403</errorCode>
    <errorMessage>Forbidden</errorMessage>
    <errorDescription>Argument '$contentTypeGroupCreateStruct' is invalid: A group with the identifier 'newContentTypeGroup3' already exists</errorDescription>
</ErrorMessage>

another 401:

{
    "ErrorMessage": {
        "_media-type": "application/vnd.ez.api.ErrorMessage+json",
        "errorCode": 401,
        "errorMessage": "Unauthorized",
        "errorDescription": "User does not have access to 'POST /api/ezp/v2/user/sessions' 'Missing or invalid CSRF token'"
    }
}

[webhdx]

Yes, these are all 4xx errors so they will be displayed as usual. We only hide 5xx messages i.e. type errors which are prone to leaking file paths.

[glye]

Thanks. The 400 error from the XML parser could be useful to someone trying an XML hack, such as XXE, or otherwise looking for exploitable bugs in our XML parser. Then again, that parser is open source. But if errors originating in the underlying libxml can be exposed indirectly, that's not good.

I'd still say it's a little safer to give nothing away but a hashed and time-variable error code, which can be looked up in the logs by legit devs. But that is more dev work to make, and more cumbersome to work with if implemented. So I'd say this is ok, the most important problem is fixed.

[micszo]

In symfony env prod error descriptions for 500 error messages are now masked with the phrase "An error has occurred. Please try again later or contact your Administrator.".
QA Approved on eZ Platform EE v2.5.8 with diff.

[lserwatka]

Could you merge it up?