api: Warn if query parameters have multiple values (#5009)

* api: Ensure single query parameter value * change error to warn * Address comments
2025-11-02 11:52:28 +01:00 · 2022-03-08 22:52:39 +05:30 · 2022-03-08 22:52:39 +05:30 · 5534b7afda
commit 5534b7afda
parent 6401c850b7
2 changed files with 19 additions and 2 deletions
--- a/server/src/main/java/com/cloud/api/ApiServer.java
+++ b/server/src/main/java/com/cloud/api/ApiServer.java
@ -464,7 +464,11 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
                        responseType = param.getValue();
                        continue;
                    }
-                    parameterMap.put(param.getName(), new String[]{param.getValue()});
+                    if(parameterMap.putIfAbsent(param.getName(), new String[]{param.getValue()}) != null) {
+                        String message = String.format("Query parameter '%s' has multiple values [%s, %s]. Only the last value will be respected." +
+                            "It is advised to pass only a single parameter", param.getName(), param.getValue(), parameterMap.get(param.getName()));
+                        s_logger.warn(message);
+                    }
                }
            }

--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@ -136,6 +136,17 @@ public class ApiServlet extends HttpServlet {
        });
    }

+    private void checkSingleQueryParameterValue(Map<String, String[]> params) {
+        params.forEach((k, v) -> {
+            if (v.length > 1) {
+                String message = String.format("Query parameter '%s' has multiple values %s. Only the last value will be respected." +
+                    "It is advised to pass only a single parameter", k, Arrays.toString(v));
+                s_logger.warn(message);
+            }
+        });
+
+    }
+
    void processRequestInContext(final HttpServletRequest req, final HttpServletResponse resp) {
        InetAddress remoteAddress = null;
        try {
@ -156,7 +167,9 @@ public class ApiServlet extends HttpServlet {
        // get the response format since we'll need it in a couple of places
        String responseType = HttpUtils.RESPONSE_TYPE_XML;
        final Map<String, Object[]> params = new HashMap<String, Object[]>();
-        params.putAll(req.getParameterMap());
+        Map<String, String[]> reqParams = req.getParameterMap();
+        checkSingleQueryParameterValue(reqParams);
+        params.putAll(reqParams);

        // For HTTP GET requests, it seems that HttpServletRequest.getParameterMap() actually tries
        // to unwrap URL encoded content from ISO-9959-1.