Artifacts: potentially dangerous path
I'm running into an issue with our TeamCity when trying to add build artifacts and get them to show those in the build results. The error I'm receiving is "A potentially dangerous Request.Path value was detected from the client (:)."
The path being requested looks like this: "https://ourbuildserver.net/app/rest/ui/projects/id:OurProject/branches?locator=policy%3AACTIVE_HISTORY_AND_ACTIVE_VCS_BRANCHES%2CchangesFromDependencies%3Afalse%2CincludeGroups%3Atrue&fields=branch(internalName,name,default,active,groupFlag)".
If I drill down into the project and click the artifacts path, I get the same error, with a different path: "https://ourbuildserver/app/rest/ui/builds/id:3728/artifacts/children?fields=file(name,size)&locator=hidden:any".
It looks like the first request is partially URL encoded, but the "id:OurProject" piece is not. The second request has less problems but still has the "id:3728" part unencoded.
I have tried digging through settings, looking for anything that might help mitigate this issue, but have been unsuccessful.
Version: TeamCity Professional 2020.1.2 (build 78726)
Please sign in to leave a comment.
Hello Joe,
Basing on the error message you see, this appears to be an IIS-raised error (in case you have IIS-based proxy before TeamCity) - please see the following article for the details:
https://knowledgebase.progress.com/articles/Article/a-potentially-dangerous-request-path-value-was-detected-from-the-client
As far as I could see, IIS allows to mark certain characters (in this case I believe it is ampersand between "locator" and "fields" request parts which causes the issue) as allowed to be a part of URL. One of those approaches could be found here: https://dirk.net/2008/06/09/ampersand-the-request-url-in-iis7/
You could also try to access the artifacts directly on the server, bypassing the proxy - if my hypothesis is correct, it should work just fine.
Looking forward to hear from you on the matter.
@... - Thanks for the response.
Yes, this turned out to be an IIS settings issue, although not an obvious one. I had previously checked the IIS Website Configuration settings for 'requestPathInvalidCharacters' and 'requestValidationMode'. Both were blank for our TeamCity website.
This link pointed me in the direction of modifying both of those settings. I changed the `requestValidationMode` to '2.0' then updated the value for invalid path characters. Once I set the value of `requestPathInvalidCharacters` to anything other than blank (I used '*'), the artifacts started displaying in the UI properly. Going back, I modified the setting again to clear it back out, and the artifacts are still displaying as expected.
Cheers!
Joe,
Good to know this was helpful - thank you for coming back on the request!
Have a great day.