Play framework file upload returns 403 - scala

I have a simple method to upload a file in a service
def addFileTest(): Action[AnyContent] = Action { request: Request[AnyContent] =>
val file = request.body.asMultipartFormData.get.file("file")
val fileRef = FileRef(file.get.ref.path.toUri.toString)
//FileRef is wrapper to File
Ok("File uploaded " + fileRef.getContentAsStringSync)
}
and a file with the following content:
<!-- saved from url=(0120)https://energyplus.net/weather-download/europe_wmo_region_6/NLD//NLD_Amsterdam.062400_IWEC/NLD_Amsterdam.062400_IWEC.epw -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>
LOCATION,Napier,Hawkes Bay,New Zealand,TMY2 NIWA 2980 D96484,933730,-39.46,176.86,12,3
When I try to upload a file on my local machine, everything works fine, I get this result back:
File uploaded <!-- saved from url=(0120)https://energyplus.net/weather-download/europe_wmo_region_6/NLD//NLD_Amsterdam.062400_IWEC/NLD_Amsterdam.062400_IWEC.epw -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>LOCATION,Napier,Hawkes Bay,New Zealand,TMY2 NIWA 2980 D96484,933730,-39.46,176.86,12,3
Deploying the service on AWS with an SSL certificate I get a 403:
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
Any ideas why I get a 403 on AWS? From my testing it looks like the HTML tag is at fault. I tried to remote debug it but it is not reaching my code.

Related

Content Security Policy for firefox extension/addon blocking scripts

I've been attempting to fix a content security policy error for my firefox addon (a new tab page) for weeks now. I've tried many different things but to no avail :(
My content security policy in manifest.json (v2):
"content_security_policy": "script-src * 'self' 'unsafe-inline' 'unsafe-eval' https://stripe.com/ https://js.stripe.com/ https://js.stripe.com/v3/ http://api.weatherapi.com/ https://api.mapbox.com/ localhost: blob:* ; worker-src * blob: ; child-src * blob: ; img-src * data: blob: ; connect-src * https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com localhost: blob:* ;",
Errors shown in console:
Loading failed for the <script> with source “https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl.js”. index.html:1:1
Loading failed for the <script> with source “https://js.stripe.com/v3/”. index.html:1:1
Loading failed for the <script> with source “https://unpkg.com/flowbite#1.5.1/dist/flowbite.js”. index.html:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://js.stripe.com/v3/ (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://unpkg.com/flowbite#1.5.1/dist/flowbite.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 2 moz-extension:1:1
Index.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="icon" href="%PUBLIC_URL%/favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#000000">
<meta name="description" content="The most beautiful places in the world on every new tab.">
<meta http-equiv="Content-Security-Policy" content="script-src * 'self' 'unsafe-inline' 'unsafe-eval' https://stripe.com/ https://js.stripe.com/ https://js.stripe.com/v3/ http://api.weatherapi.com/ https://api.mapbox.com/ localhost: blob:* ; worker-src * blob: ; child-src * blob: ; img-src * data: blob: ; connect-src * https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com localhost: blob:* ;">
<!-- Flowbite -->
<link rel="stylesheet" href="https://unpkg.com/flowbite#1.5.1/dist/flowbite.min.css" />
<!-- Mapbox -->
<script src="https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl.js"></script>
<!-- Stripe -->
<script src="https://js.stripe.com/v3/"></script>
<script>
mapboxgl.workerUrl = "https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl-csp-worker.js";
</script>
<link rel="apple-touch-icon" href="%PUBLIC_URL%/logo192.png">
<!--
manifest.json provides metadata used when your web app is installed on a
user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/
-->
<!--
Notice the use of %PUBLIC_URL% in the tags above.
It will be replaced with the URL of the `public` folder during the build.
Only files inside the `public` folder can be referenced from the HTML.
Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will
work correctly both with client-side routing and a non-root public URL.
Learn how to configure a non-root public URL by running `npm run build`.
-->
<title>Wanderlust - Exploring new locations around the world.</title>
<script>
// It's best to inline this in `head` to avoid FOUC (flash of unstyled content) when changing pages or themes
if (
localStorage.getItem('color-theme') === 'dark' ||
(!('color-theme' in localStorage) &&
window.matchMedia('(prefers-color-scheme: dark)').matches)
) {
document.documentElement.classList.add('dark');
} else {
document.documentElement.classList.remove('dark');
}
</script>
</head>
<body>
<noscript>You need to enable JavaScript to run this app.</noscript>
<div id="root"></div>
<!--
This HTML file is a template.
If you open it directly in the browser, you will see an empty page.
You can add webfonts, meta tags, or analytics to this file.
The build step will place the bundled scripts into the <body> tag.
To begin the development, run `npm start` or `yarn start`.
To create a production bundle, use `npm run build` or `yarn build`.
-->
<script src="https://unpkg.com/flowbite#1.5.1/dist/flowbite.js"></script>
</body>
</html>
I have an inline script, a personal API i request from, and external scripts (mapbox, flowbite, stripe and a few others). Thanks for your help!

Loading PayPal Smart Buttons (JS SDK) with Brave Browser throws errors

I'm trying to get a basic PayPal button on my web page, but I can't even load the API without getting errors. I've asked for help on PayPal's own forum, but no one replies.
Here is my page. I'm running in sandbox mode. I've replaced the actual client ID below with [CLIENTID].
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>PayPal test</title>
</head>
<body>
<script src="https://www.paypal.com/sdk/js?debug=true&client-id=[CLIENTID]"></script>
</body>
</html>
I can add a button to the page, and make a purchase, so the buying process works. But it always throws this error at page load. I'm on Win10, Brave Browser (based on Chromium).
js?debug=true&client…ruzpDLhao-FzS6:2659 unhandled_error
{err: "Error: Invalid json: .↵ at XMLHttpRequest.<anon…[CLIENTID]:2597:55)", timestamp: "1601234382102", referer: "localhost", uid: "9b7c68f416_mtk6mtc6ntq", env: "sandbox"}
env: "sandbox"
err: "Error: Invalid json: .↵ at XMLHttpRequest.<anonymous> (https://www.paypal.com/sdk/js?debug=true&client-id=[CLIENTID]:2597:55)"
referer: "localhost"
timestamp: "1601234382102"
uid: "9b7c68f416_mtk6mtc6ntq"
__proto__: Object
===============================================================
UPDATE
Sorry, I incorrectly wrote I am on Google Chrome. I'm on Brave Browser (based on Chromium). I've tested on Google Chrome and MS Edge, and it works there. Brave is where the errors happen. I've tried to add a new sandbox app, but get the same error. I've used the Brave browser settings to allow my site all privileges, but still the same error.
Live test:
Just loading API: https://www.trainerslab.app/PayPalTest.html
Example from PayPal dev site: https://www.trainerslab.app/PayPalTest2.html
Screenshot:

<title>Error 403 No valid crumb was included in the request</title> getting same in Eclipse using restassured

I am getting this error while calling a rest api which is working from postman
IDE : Eclipse and using rest assured
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /serviceurl.postregisterurl. Reason:
<pre> No valid crumb was included in the request</pre></p><hr>Powered by Jetty:// 9.4.z-SNAPSHOT<hr/>
</body>
</html>

SoundCloud API return error 403 - Forbidden for all request from my VPS

I have a simple request to SoundCloud API which I get the correct response in my local. But when I put it into my VPS, the API returned error 403 - Forbidden. I have been looking around and found no document or proper explanation for this. This happening for all requests to SoundCloud API from my VPS (not 50% like the other post that I found here) .
$ curl https://api.soundcloud.com/tracks/197355235\?client_id\=978b6cc3cb0ba473f75da8bf6d3d0990
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>403 - Forbidden</title>
</head>
<body>
<h1>403 - Forbidden</h1>
</body>
</html>
Same for me.
Seems to be a blacklist but SoundCloud do not respond when you try to contact them...
If your host is OVH, read this :
Soundcloud 403 error for a range of IPs

Redmine rest api returns html document

I try connect pycharm/small python projects to my redmine server, but rest api return this:
Error fetching issues for: /projects//issues.xml?key=(my secret key)&fields%5B%5D=status_id&operators%5Bstatus_id%5D=o&values%5Bstatus_id%5D%5B%5D=1&per_page=10, HTTP status code: 200
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv='content-type' content='text/html; charset=UTF-8'>
<meta name="VERSION" content="">
<meta name="DATA" content="fwdnode7-bl.web-hosting.com (my redmine server)">
<link href=" " rel="shortcut icon" type="image/x-icon">
<title></title>
</head>
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://(my redmine server)" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
<noframes><h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br>
<center>Click <a href="http://(my redmine server)" >here</a> to enter the site.</center>
</noframes>
</html>
Information about environment:
Redmine version 2.5.1.stable.13174
Ruby version 2.0.0-p481 (2014-05-08) [x86_64-linux]
Rails version 3.2.18
Environment production
Database adapter Mysql2
REST API and JSON are enabled in redmine's setting
How can I resolve this issue?