Exception in Jersey Jetty handler's Host header parsing bubbles up to the top

[gredler]

If you deploy a Jersey + Jetty service to the big, bad public internet the service will inevitably start to receive requests with malicious or malformed Host (or X-Forwarded-Host) headers. Instead of responding with HTTP 4XX errors, as would be expected, the Jersey internals will generate HTTP 500 errors.

Note that JettyHttpContainer.handle(...) already contains a try/catch block where URISyntaxException seems to be handled correctly, but JettyHttpContainer.getBaseUri(...) wraps its URISyntaxException in an IllegalArgumentException -- unlike JettyHttpContainer.getRequestUri(...), which throws it unmodified. My guess is that JettyHttpContainer.getBaseUri(...) just needs to be allowed to also throw its URISyntaxException unmodified, so that the try/catch in JettyHttpContainer.handle(...) can handle it.

Sample problematic Host header:

Host: _foo.com

Sample stack trace for the exception which is uncaught and triggers the HTTP 500 error response:

java.lang.RuntimeException: java.lang.IllegalArgumentException: java.net.URISyntaxException: Illegal character in hostname at index 7: http://_foo.com:80/
	at org.glassfish.jersey.jetty.JettyHttpContainer.handle(JettyHttpContainer.java:179)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ResourceHandler.handle(ResourceHandler.java:266)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:190)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:571)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.lang.IllegalArgumentException: java.net.URISyntaxException: Illegal character in hostname at index 7: http://_foo.com:80/
	at org.glassfish.jersey.jetty.JettyHttpContainer.getBaseUri(JettyHttpContainer.java:246)
	at org.glassfish.jersey.jetty.JettyHttpContainer.handle(JettyHttpContainer.java:151)
	... 25 common frames omitted
Caused by: java.net.URISyntaxException: Illegal character in hostname at index 7: http://_foo.com:80/
	at java.base/java.net.URI$Parser.fail(URI.java:2915)
	at java.base/java.net.URI$Parser.parseHostname(URI.java:3450)
	at java.base/java.net.URI$Parser.parseServer(URI.java:3299)
	at java.base/java.net.URI$Parser.parseAuthority(URI.java:3218)
	at java.base/java.net.URI$Parser.parseHierarchical(URI.java:3160)
	at java.base/java.net.URI$Parser.parse(URI.java:3116)
	at java.base/java.net.URI.<init>(URI.java:685)
	at org.glassfish.jersey.jetty.JettyHttpContainer.getBaseUri(JettyHttpContainer.java:244)
	... 26 common frames omitted