MediaWiki treats CLTF text as RCE - mediawiki

Help. I have a weird problem on a MediaWiki 1.37.2 install. We (me & the musician) are trying to get a wiki going for Clan Lord Tune Format music (like midi but with a–g, "." for flat, "[…]" for chords so "[DFA.]" is a possible chord). However, when we try to edit or create a page with CLTF in it, sometimes MediaWiki throws an exception thinking it’s an RCE attack:
ModSecurity: Warning. Pattern match "(?:\$(?:\((?:\(.\)|.)\)|\{.\})|[<>]\(.\)) at ARGS:text at ARGS:text. [file "…/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data:
and
[severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"]
at the end.
How do I disable or modify the security module to not throw the exception on this text and not flag it as an RCE attack so it can be saved in the wiki? Is there a setting or format of the text that will allow the CLTF formatted music?
Thanks in advance for any answers that fix this.
*EDIT: I found this: https://www.mediawiki.org/wiki/ModSecurity and it says to turn off the security module with an .htaccess file. Does this go in the MediaWiki directory or the web root?
**EDIT 2: we also found this: https://anto.online/guides/how-to-disable-modsecurity-rules-that-cause-403-errors/ and are not sure which one is the for the OWASP_CRS are the codes: "capec/1000/152/248/88" ?
full log (minus personally identifiable info removed with ellipsis: … ):
[Wed May 18 08:27:38.649383 2022] [:error] [pid 3490:tid 3408850568960] [client …] [client …] ModSecurity: Warning. Pattern match "(?:\\$(?:\\((?:\\(.\\)|.)\\)|\\{.\\})|[<>]\\(.\\))" at ARGS:wpTextbox1. [file "…/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "366"] [id "932130"] [msg "Remote Command Execution: Unix Shell Expression Found"] [data "Matched Data: >((#150[e]4ppp[b]2pp[e]2pp[e]2p[d]3ppp[e]2pp|1[e]2pp[e]2p!ppp)2)4([=egb]8[e]4ppp[b]2p[=egb]8p[e]2pp[e]2p[=df#b]8[d]3ppp[e]2p[=egb]8p|1[e]2pp[e]2p!ppp)2([=cea]8[a]4ppp[e]2p[=cea]8p[a]2pp[a]2p[=df#b]8[d]3ppp[f#]2p|1[=cea]8p[e]2pp[e]2p![=egb]8pppp)2(([=egb]8[e]4ppp[b]2p[=egb]8p[e]2pp[e]2p[=df#b]8[d]3ppp[e]2p|1[=egb]8p[e]2pp[e]2p![=egb]pppp)2)2([=egb]8[e]4ppp[b]2p[=egb]8p[e]2pp[e]2p[=df#b]8[d]3ppp[e]2p[=egb]8p|1[e]2pp[e]2p!ppp)2([=cea]8[a]4ppp[e]2p[=cea]8p[a]2pp[a]2p[=df#b]8[d]3ppp[f#]2p|1[=cea..."] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2" [hostname "…"] [uri "…bardsfield/index.php"] [unique_id "YoUQak6BVgxiylKa6BNQVgAAAAE"], referer: https://…/bardsfield/index.php?title=…&action=edit

Okay. So, We got all the modSec rule IDs exempted that we needed (there we 6 security violations) to by our hosting ISP’s server admin. So ,this case is closed.

Try this exclusion rule (put it into REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf):
SecRule REQUEST_FILENAME "#endsWith /index.php" \
"id:80,\
phase:1,\
pass,\
t:none,\
nolog,\
chain"
SecRule ARGS:action "#streq submit" \
"t:none,\
chain"
SecRule &ARGS:action "#eq 1" \
"t:none,\
ctl:ruleRemoveTargetById=930120;ARGS:wpTextbox1,\
ctl:ruleRemoveTargetById=932100;ARGS:wpTextbox1,\
ctl:ruleRemoveTargetById=932130;ARGS:wpTextbox1,\
ctl:ruleRemoveTargetById=941100;ARGS:wpTextbox1,\
ctl:ruleRemoveTargetById=941160;ARGS:wpTextbox1"

Related

Server denies request due to wrong Domain coming from Fritzbox

I am trying to reach my local server via IPv6 which is failing due to certificate issues.
E.g. the nextcloud client gives following error:
$nextcloudcmd --trust --logdebug Nextcloud https://nextcloud.domain.de
10-20 12:47:43:798 [ info nextcloud.sync.accessmanager ]: 2 "" "https://nextcloud.domain.de/ocs/v1.php/cloud/capabilities?format=json" has X-Request-ID "19a2a694-1912-4813-b3f5-2d4d5720fa80"
10-20 12:47:43:799 [ info nextcloud.sync.networkjob ]: OCC::JsonApiJob created for "https://nextcloud.domain.de" + "ocs/v1.php/cloud/capabilities" ""
10-20 12:47:43:955 [ info nextcloud.sync.account ]: "SSL-Errors happened for url \"https://nextcloud.domain.de/ocs/v1.php/cloud/capabilities?format=json\" \tError in QSslCertificate(\"3\", \"f9:8e:0f:4f:bd:4b:a3:5f\", \"hkXxG7tBu+SGaRSBZ9gRyw==\", \"<hostname>.domain.de\", \"<hostname>.domain.de\", QMap((1, \"www.fritz.nas\")(1, \"fritz.nas\")(1, \"<WiFi-Name>\")(1, \"www.myfritz.box\")(1, \"myfritz.box\")(1, \"www.fritz.box\")(1, \"fritz.box\")(1, \"<hostname>.domain.de\")), QDateTime(2019-10-19 12:32:25.000 UTC Qt::UTC), QDateTime(2038-01-15 12:32:25.000 UTC Qt::UTC)) : \"The host name did not match any of the valid hosts for this certificate\" ( \"The host name did not match any of the valid hosts for this certificate\" ) \n \tError in QSslCertificate(\"3\", \"f9:8e:0f:4f:bd:4b:a3:5f\", \"hkXxG7tBu+SGaRSBZ9gRyw==\", \"<hostname>.domain.de\", \"<hostname>.domain.de\", QMap((1, \"www.fritz.nas\")(1, \"fritz.nas\")(1, \"<WiFi-Name>\")(1, \"www.myfritz.box\")(1, \"myfritz.box\")(1, \"www.fritz.box\")(1, \"fritz.box\")(1, \"<hostname>.domain.de\")), QDateTime(2019-10-19 12:32:25.000 UTC Qt::UTC), QDateTime(2038-01-15
12:32:25.000 UTC Qt::UTC)) : \"The certificate is self-signed, and untrusted\" ( \"The certificate is self-signed, and untrusted\" ) \n " Certs are known and trusted! This is not an actual error.
10-20 12:47:43:964 [ warning nextcloud.sync.networkjob ]: QNetworkReply::ProtocolInvalidOperationError "Server replied \"400 Bad Request\" to \"GET https://nextcloud.domain.de/ocs/v1.php/cloud/capabilities?format=json\"" QVariant(int, 400)
10-20 12:47:43:964 [ info nextcloud.sync.networkjob.jsonapi ]: JsonApiJob of QUrl("https://nextcloud.domain.de/ocs/v1.php/cloud/capabilities?format=json") FINISHED WITH STATUS "ProtocolInvalidOperationError Server replied \"400 Bad Request\" to \"GET https://nextcloud.domain.de/ocs/v1.php/cloud/capabilities?format=json\""
10-20 12:47:43:964 [ warning nextcloud.sync.networkjob.jsonapi ]: Network error: "ocs/v1.php/cloud/capabilities" "Server replied \"400 Bad Request\" to \"GET https://nextcloud.domain.de/ocs/v1.php/cloud/capabilities?format=json\"" QVariant(int, 400)
10-20 12:47:43:964 [ debug default ] [ main(int, char**)::<lambda ]: Server capabilities QJsonObject()
Error connecting to server
I wonder why Fritzbox tries to request via .domain.de instead of nextcloud.domain.de.
Can anyone point me into the right direction?
Okay got information from the Site (German: https://avm.de/service/fritzbox/fritzbox-7580/wissensdatenbank/publication/show/3525_Zugriff-auf-HTTPS-Server-im-Heimnetz-nicht-moglich#zd) which led me to following conclusion.
As you do not have NAT for IPv6 addresses and the fritzbox cannot do it as well, the IPv6 has to be from the server. Thus one solution I found is ddclient. By installing it on your GNU\Linux server it will update the IPv6 address at your DynDNS provider.
But one thing is still open. I cannot get IPv4 and IPv6 updated.

lein cljsbuild fails with untraceable error. How do you troubleshoot cljsbuild errors?

I do not see any log file for the compilation and the error in the terminal is insufficient for me to troubleshoot further.
How do i get more verbose error logging or how should i trouble shoot this issue?
First few lines from stacktrace below
Compiling ClojureScript...
Compiling ["resources/public/js/app.js"] from ["src/cljs"]...
Compiling ["resources/public/js/app.js"] failed.
clojure.lang.ExceptionInfo: failed compiling file:resources\public\js\out\cljs\core.cljs {:file #object[java.io.File 0x7c5d1d25 "resources\\public\\js\\out\\cljs\\core.cljs"], :clojure.error/phase :compilation}
at cljs.compiler$compile_file$fn__3901.invoke(compiler.cljc:1706)
at cljs.compiler$compile_file.invokeStatic(compiler.cljc:1666)
I have a simple cljs file with the following contents
(ns moose.core)
(defn run []
(.write js/document "This is not the end!"))
My project.clj has the following config for cljsbuild
:cljsbuild
{:builds [{:id "dev"
:source-paths ["src/cljs"]
:figwheel {:on-jsload "moose.core/run"
:open-urls ["http://localhost:3449/index.html"]}
:jar true
:compiler {:main moose.core
:warnings true
:output-dir "resources/public/js/out"
:asset-path "js/out"
:output-to "resources/public/js/app.js"}}]}
:clean-targets ^{:protect false} [:target-path :compile-path "resources/public/js" "dev-target"]
Update 1
Following Alan's advice below, i created a new template and narrowed down the cause to adding a fairly old library for interacting with CouchDB
[com.ashafa/clutch "0.4.0"]
The question remains how do I get detailed/complete logs for cljsbuild.
Update 2
Turns out the position of the library in the list of dependencies has an impact.
If it appears before [com.cognitect/transit-clj "0.8.313"] compilation fails otherwise it works.
The configuration options in ClojureScript are not well documented. It is easiest to clone an existing (working) project and go from there. I would suggest starting from the cljs-template project as follows (see the README):
git clone https://github.com/cloojure/cljs-template.git demo-0212 ; temp
> cd demo-0212
~/expr/demo-0212 > ls -ldF *
-rwxrwxr-x 1 alan alan 222 Feb 12 16:04 npm-install.bash*
-rwxrwxr-x 1 alan alan 4216 Feb 12 16:04 project.clj*
-rw-rw-r-- 1 alan alan 1576 Feb 12 16:04 README.adoc
drwxrwxr-x 3 alan alan 4096 Feb 12 16:04 resources/
drwxrwxr-x 5 alan alan 4096 Feb 12 16:04 src/
drwxrwxr-x 4 alan alan 4096 Feb 12 16:04 test/
~/expr/demo-0212 > ./npm-install.bash
...<snip>... lots of stuff
At this point your project has the npm stuff needed for the unit tests.
> lein clean
> lein doo phantom test once
;; ======================================================================
;; Testing with Phantom:
doorunner - beginning
doorunner - end
Testing tst.flintstones.dino
test once - enter
globalObject: #js {:a 1, :b 2, :c 3}
(-> % .-b (+ 5) => 7
(js/makeDino) => #js {:desc blue dino-dog, :says #object[Function]}
dino.desc => blue dino-dog
dino.says(5) => Ruff-Ruff-Ruff-Ruff-Ruff!
:keep-words ("am" "having" "today")
:re-seq ("am" "having" "today")
test once - leave
Testing tst.flintstones.wilma
test each - enter
test each - leave
test each - enter
wilmaPhony/stats: #js {:lipstick red, :height 5.5}
wilma => #js {:desc patient housewife, :says #object[Function]}
test each - leave
Testing tst.flintstones.pebbles
test once - enter
test once - leave
Testing tst.flintstones.slate
logr-slate-enter
logr-slate-leave 3
Testing tst.flintstones.bambam
test each - enter
test each - leave
test each - enter
logr-bambam-enter
logr-bambam-leave 3
test each - leave
Ran 9 tests containing 22 assertions.
0 failures, 0 errors.
lein doo phantom test once 38.73s user 1.05s system 313% cpu 12.701 total
You can also fire off figwheel to see results in the browser:
> lein clean
> lein figwheel
see new webpage (30-60 sec delay)
------------------------
Figwheel template
Checkout your developer console.
I am a component!
I have bold and red text.
...etc...
------------------------

GRAILS-2.5 Handling syntax errors on external configuration

I have application developed using Grails 2.5.
In the the "Config.groovy" file i have included external configuration file like this:
grails.config.locations = []
def locationAdder = ConfigFinder.&addLocation.curry(grails.config.locations)
[CONFIG-1 : "base_config.groovy",
CONFIG-2 : "app_configuration.groovy"
].each { envName, defaultFileName -> locationAdder(envName, defaultFileName) }
In the "app_configuration.groovy" file i have all the application level configuration.
My question is how to catch the "syntax errors" when server is loading this configuration files, like ex.:
if i have configuration like
some_configuration=["key": "value"]
and if it has an syntax errors like
some_configuration=["key": "value
Notice that above it missed double quote and ending bracket, in this case the server will not load all the configurations.
If any one know that how to catch exception and reload the configurations with corrected configuration.
You can not catch Exception in external config. You may just add some log which in case of failure, at least have got some clue where it is failed.
println "External config: Part 1 loaded "
println "External Config: Part n loaded "
....

Core OWASP ModSecurity - Allowing JSON

I've had ModSecurity and the Core OWASP Rule Set ver.2.2.5 installed for some months now, but a JSON endpoint on the site has recently stopped responding, and the Apache log gets the following:
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash"
required. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data
Changed - IP Address Mismatch."] [hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Match of "streq %{SESSION.UA_HASH}" against "TX:ua_hash"
required. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "36"] [id "981060"] [msg "Warning - Sticky SessionID Data
Changed - User-Agent Mismatch."] [hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Operator EQ matched 2 at TX:sticky_session_anomaly. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_16_session_hijacking.conf"]
[line "37"] [id "981061"] [msg "Possible Session Hijacking - IP
Address and User-Agent Mismatch."] [hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
[Tue Jul 21 10:41:12 2015] [error] [client 194.54.11.146] ModSecurity:
Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against
"TX:0" required. [file
"/etc/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"]
[line "64"] [id "960010"] [msg "Request content type is not allowed by
policy"] [data "application/json"] [severity "WARNING"] [tag
"POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
[hostname "************"] [uri
"/api/campaigns/d3c735cb-0773-11e4-98bd-02f651afdab5"] [unique_id
"Va4hyKwfKiYAAAYSLigAAAAJ"]
I'm new to mod_security and the OWASP rules (I basically followed the guide here) but as I understand, rules are scored, and if a request passes a threshold, it's nuked. I assume this is what I'm seeing here.
The final one is the one that concerns me - "application/json" should certainly be allowed. From looking at /etc/modsecurity/modsecurity_crs_10_setup.conf, I see:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'
My question is:
1. Can I just add application/json in here to make the error go away?
2. Is that the correct way to do it?
Yes you can so it reads like this:
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json'
Yes that is the correct way of doing this.

JSON Invalid UTF-8 middle byte

This error happens when the (Jackson, this case) JSON engine tries to parse some JSON that is not encoded in UTF-8.
How to tell the engine that it should expect something different from UTF-8, such as UTF-16?
HttpHeaders requestHeaders = createSomeHeader();
RestTemplate restTemplate = new RestTemplate();
HttpEntity<?> requestEntity = new HttpEntity<Object>(requestHeaders);
String url = "someurl"
ResponseEntity<MyObject[]> arrayResponseEntity = restTemplate.exchange(url, HttpMethod.GET, requestEntity, MyObject[].class);
error log:
Caused by: org.springframework.http.converter.HttpMessageNotReadableException: Could not read JSON: Invalid UTF-8 middle byte 0x20
at [Source: org.apache.http.conn.EofSensorInputStream#44d397b0; line: 92, column: 42]; nested exception is org.codehaus.jackson.JsonParseException: Invalid UTF-8 middle byte 0x20
at [Source: org.apache.http.conn.EofSensorInputStream#44d397b0; line: 92, column: 42]
at org.springframework.http.converter.json.MappingJacksonHttpMessageConverter.readInternal(MappingJacksonHttpMessageConverter.java:138)
at org.springframework.http.converter.AbstractHttpMessageConverter.read(AbstractHttpMessageConverter.java:154)
at org.springframework.web.client.HttpMessageConverterExtractor.extractData(HttpMessageConverterExtractor.java:74)
at org.springframework.web.client.RestTemplate$ResponseEntityResponseExtractor.extractData(RestTemplate.java:622)
at org.springframework.web.client.RestTemplate$ResponseEntityResponseExtractor.extractData(RestTemplate.java:608)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:449)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:404)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:380)
... 4 more
Caused by: org.codehaus.jackson.JsonParseException: Invalid UTF-8 middle byte 0x20
at [Source: org.apache.http.conn.EofSensorInputStream#44d397b0; line: 92, column: 42]
at org.codehaus.jackson.JsonParser._constructError(JsonParser.java:1213)
at org.codehaus.jackson.impl.JsonParserMinimalBase._reportError(JsonParserMinimalBase.java:375)
at org.codehaus.jackson.impl.Utf8StreamParser._reportInvalidOther(Utf8StreamParser.java:2132)
at org.codehaus.jackson.impl.Utf8StreamParser._reportInvalidOther(Utf8StreamParser.java:2139)
at org.codehaus.jackson.impl.Utf8StreamParser._decodeUtf8_3fast(Utf8StreamParser.java:1962)
I got this exception when in the Java Client Application I was serializing a JSON like this
String json = mapper.writeValueAsString(contentBean);
and on the Server Side I was using Spring Boot as REST Endpoint.
Exception was:
nested exception is com.fasterxml.jackson.databind.JsonMappingException: Invalid UTF-8 start byte 0xaa
My problem was, that I was not setting the correct encoding on the HTTP Client.
This solved my problem:
updateRequest.setHeader("Content-Type", "application/json;charset=UTF-8");
StringEntity entity= new StringEntity(json, "UTF-8");
updateRequest.setEntity(entity);
Android set content type HttpPost
JSON data must be encoded as UTF-8, UTF-16 or UTF-32. The JSON decoder can determine the encoding by examining the first four octets of the byte stream:
00 00 00 xx UTF-32BE
00 xx 00 xx UTF-16BE
xx 00 00 00 UTF-32LE
xx 00 xx 00 UTF-16LE
xx xx xx xx UTF-8
It sounds like the server is encoding data in some illegal encoding (ISO-8859-1, windows-1252, etc.)
I got this after saving the JSON file using Notepad2, so I had to open it with Notepad++ and then say "Convert to UTF-8". Then it worked.
On the off chance it may help others I'll share a related anecdote.
I encountered this exact error (Invalid UTF-8 middle byte 0x3f) running a PowerShell script via the PowerShell Integrated Script Environment (ISE). The identical script, executed outside the ISE, works fine. The code uses the Confluence v3 and v5.x REST APIs and this error is logged on the Confluence v5.x server - presumably because the ISE somehow mucks with the request.
This awnser solved my problem. Below is a copy of it:
Make sure to start you JVM with -Dfile.encoding=UTF-8. You JVM
defaults to the operating system charset
This is a JVM argument which could be added, for example, either to JBoss standalone or JBoss running from Eclipse.
In my case, this problem happened isolatelly on only one of my team people's computer. All the others was working without this problem.
I had this problem inconsistently between different platforms, as I got JSON as String from Mapper and did the writing myself. Sometimes it went into file as ansi and other times correctly as UTF8. I switched to
mapper.writeValue(file, data);
letting Mapper do the file operations, and it started working fine.
client text protocol
POST http://127.0.0.1/bom/create HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.25.0
Accept: */*
Postman-Token: 50ecfbfe-741f-4a2b-a3d3-cdf162ada27f
Host: 127.0.0.1
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 405
{
"fwoid": 1,
"list": [
{
"bomIndex": "10001",
"desc": "带GH 1.25 13pin 公座带针 白色",
"pn": "084.0001.0036",
"preUse": 1,
"type": "追觅 除螨仪-开关PCB组件"
},
{
"bomIndex": "10002",
"desc": "紫米音箱-商品码标签",
"pn": "Z.08.013.0051",
"preUse": 1,
"type": "E060A0302301"
}
]
}
HTTP/1.1 200 OK
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Content-Type: application/json
Date: Mon, 01 Jun 2020 11:23:42 GMT
Content-Length: 40
{"code":"0","message":"BOM保存成功"}
a springboot Controller code as below:
#PostMapping("/bom/create")
#ApiOperation(value = "保存BOM")
#BusinessOperation(module = "BOM",methods = "解析BOM")
public JsonResult save(#RequestBody BOMSaveQuery query)
{
return bomService.saveBomList(query);
}
when i debug on loopback interface,it works ok. while deploy on internet server via bat command, i got an error
ServletInvocableHandlerMethod - Could not resolve parameter [0] in public XXXController.save(com.h2.mes.query.BOMSaveQuery): JSON parse error: Invalid UTF-8 middle byte 0x3f; nested exception is com.fasterxml.jackson.databind.JsonMappingException: Invalid UTF-8 middle byte 0x3f
at [Source: (PushbackInputStream); line: 9, column: 32] (through reference chain: com.h2.mes.query.BOMSaveQuery["list"]->java.util.ArrayList[0]->com.h2.mes.vo.BOMVO["type"])
2020-06-01 15:37:50.251 MES [XNIO-1 task-13] WARN o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolved [org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Invalid UTF-8 middle byte 0x3f; nested exception is com.fasterxml.jackson.databind.JsonMappingException: Invalid UTF-8 middle byte 0x3f
at [Source: (PushbackInputStream); line: 9, column: 32] (through reference chain: com.h2.mes.query.BOMSaveQuery["list"]->java.util.ArrayList[0]->com.h2.mes.vo.BOMVO["type"])]
2020-06-01 15:37:50.251 MES [XNIO-1 task-13] DEBUG o.s.web.servlet.DispatcherServlet - Completed 400 BAD_REQUEST
2020-06-01 15:37:50.251 MES [XNIO-1 task-13] DEBUG o.s.web.servlet.DispatcherServlet - "ERROR" dispatch for POST "/error", parameters={}
add a jvm arguement works for me.
java -Dfile.encoding=UTF-8