Return 404 instead of HTML for missing API methods. (#24590)

* Return 404 instead of HTML for missing API methods. * Adding changelog snippet. * Clarifying changelog snippet. * Adding comment, extracting constant.
2026-03-13 09:32:21 +08:00 · 2026-01-06 14:12:44 +01:00
parent 196c314ee7
commit 615990f759
3 changed files with 10 additions and 1 deletions
--- a/changelog/unreleased/pr-24590.toml
+++ b/changelog/unreleased/pr-24590.toml
@@ -0,0 +1,4 @@
+type = "f"
+message = "Return 404 instead of HTML for non-existent API methods."
+
+pulls = ["24590"]
--- a/graylog2-server/src/main/java/org/graylog2/configuration/HttpConfiguration.java
+++ b/graylog2-server/src/main/java/org/graylog2/configuration/HttpConfiguration.java
@@ -47,7 +47,8 @@ public class HttpConfiguration {
    private static final int GRAYLOG_DEFAULT_PORT = 9000;

    public static final String OVERRIDE_HEADER = "X-Graylog-Server-URL";
-    public static final String PATH_API = "api/";
+    public static final String API_PREFIX = "api";
+    public static final String PATH_API = API_PREFIX + "/";

    @Documentation("""
            ## HTTP bind address
--- a/graylog2-server/src/main/java/org/graylog2/web/resources/WebInterfaceAssetsResource.java
+++ b/graylog2-server/src/main/java/org/graylog2/web/resources/WebInterfaceAssetsResource.java
@@ -162,6 +162,10 @@ public class WebInterfaceAssetsResource {
    @Path("{filename:.*}")
    public Response getIndex(@Context ContainerRequest request,
                             @Context HttpHeaders headers) {
+        // If we end up here, the request should go to the API, but no resource class matched it, so we return a 404.
+        if (request.getAbsolutePath().getPath().startsWith("/" + HttpConfiguration.API_PREFIX)) {
+            return Response.status(Response.Status.NOT_FOUND).build();
+        }
        final URI originalLocation = request.getRequestUri();
        return get(request, headers, originalLocation.getPath());
    }