-
Type:
Bug Report
-
Resolution: Fixed
-
Priority:
L3 - Default
-
Affects Version/s: None
-
Component/s: engine
-
None
Steps to reproduce:
- Use default camunda-bpm-ee-tomcat-7.10.0-ee
- Send the following GET request: localhost:8080/engine-rest/history/process-instance?startedAfter="makepizza"
Expected behaviour:
"type": "InvalidRequestException",
"message": "Cannot set query parameter 'startedAfter' to value ''makepizza'': Cannot convert value \"'makepizza'\" to java type java.util.Date"
Actual result:
The parameter is excluded / ignored from the filter and a 200 OK is returned if the rest of the query parameters are valid.
This has been tested with the startedAfter and startedBefore parameters of the following endpoint: https://docs.camunda.org/manual/7.10/reference/rest/history/process-instance/get-process-instance-query/ but it may affect other parameters / endpoints too.
Root cause
- The DateConverter we use in the REST API (https://github.com/camunda/camunda-bpm-platform/blob/master/engine-rest/engine-rest/src/main/java/org/camunda/bpm/engine/rest/dto/converter/DateConverter.java) always wraps the submitted value in double quotes and then gives it to Jackson.
- "makepizza" becomes ""makepizza"" and Jackson reads the first pair of double quotes as an empty string and returns null, which essentially means that the filter is not applied
Solution ideas
- Validate that the submitted value does not start or end with double quotes