fix(mpt-v1): prevent leak of information through template resolution …

…endpoint (#3706) (#3710)

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

orca-web/src/main/groovy/com/netflix/spinnaker/orca/controllers/PipelineTemplateController.groovy

@@ -17,12 +17,16 @@ package com.netflix.spinnaker.orca.controllers
 
 import com.netflix.spinnaker.kork.web.exceptions.InvalidRequestException
 import com.netflix.spinnaker.orca.pipelinetemplate.PipelineTemplateService
+import com.netflix.spinnaker.orca.pipelinetemplate.exceptions.TemplateLoaderException
 import com.netflix.spinnaker.orca.pipelinetemplate.v1schema.converter.PipelineTemplateConverter
 import com.netflix.spinnaker.orca.pipelinetemplate.v1schema.model.PipelineTemplate
 import com.netflix.spinnaker.orca.pipelinetemplate.v1schema.model.TemplateConfiguration.TemplateSource
 import groovy.util.logging.Slf4j
+import javax.servlet.http.HttpServletResponse
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression
+import org.springframework.http.HttpStatus
+import org.springframework.web.bind.annotation.ExceptionHandler
 import org.springframework.web.bind.annotation.RequestBody
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RequestMethod
@@ -51,4 +55,10 @@ class PipelineTemplateController {
   String convertPipelineToPipelineTemplate(@RequestBody Map<String, Object> pipeline) {
     new PipelineTemplateConverter().convertToPipelineTemplate(pipeline)
   }
+
+  @ExceptionHandler(TemplateLoaderException)
+  static void handleTemplateLoaderException(TemplateLoaderException tle, HttpServletResponse response) {
+    log.error("Could not load pipeline template from source: {}", tle.message)
+    response.sendError(HttpStatus.BAD_REQUEST.value(), "Could not load pipeline template from source")
+  }
 }