fix(rest-api): unwrap WebApplicationException from JasperException in rules include endpoint (#34888)

Tomcat/Jasper wraps any Throwable raised inside a JSP in a ServletException
before it leaves RequestDispatcher.include(), so the dedicated
catch(WebApplicationException) added in #35337 never matched at runtime and
/api/portlet/rules/include kept returning HTTP 200 with debug HTML instead
of the expected 400/404. The generic catch in BaseRestPortlet.getJspResponse()
now walks the cause chain and re-throws the WebApplicationException so JAX-RS
can map the proper status. Added unit tests that simulate the real Jasper
wrapping (the existing test mocked the dispatcher to throw the exception
directly, bypassing the wrapper).

Also in include.jsp:
- Validate the id parameter against UUIDUtil.isUUID before hitting the API,
  so an invalid format returns 400 instead of 404.
- Add DEBUG logging on every rejection branch; only log the id value once
  it has passed UUID validation, to avoid CWE-117 log injection from the
  unvalidated query parameter.

Refs: #34888

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: dsolistorres

dotCMS/src/main/java/com/dotcms/rest/BaseRestPortlet.java

@@ -121,6 +121,16 @@ private String getJspResponse ( HttpServletRequest request, HttpServletResponse
 		} catch (WebApplicationException e) {
 			throw e;
 		} catch (Exception e) {
+			// Servlet containers (Jasper) wrap any Throwable raised inside a JSP in a
+			// ServletException/JasperException, so a WebApplicationException thrown by
+			// the JSP arrives here as a *cause* — walk the chain and re-throw it so
+			// JAX-RS maps the proper HTTP status (e.g. 400/404) instead of returning
+			// a 200 with debug HTML.
+			for (Throwable t = e.getCause(); t != null; t = t.getCause()) {
+				if (t instanceof WebApplicationException) {
+					throw (WebApplicationException) t;
+				}
+			}
 			Logger.debug(this.getClass(), "unable to parse: " + path);
 			Logger.error( this.getClass(), e.toString(), e );
 			StringWriter sw = new StringWriter();

dotCMS/src/main/webapp/WEB-INF/jsp/rules/include.jsp

@@ -4,6 +4,8 @@
 <%@ page import="com.dotmarketing.util.PortletURLUtil" %>
 <%@page import="com.dotmarketing.portlets.contentlet.model.Contentlet"%>
 <%@page import="com.dotmarketing.util.UtilMethods"%>
+<%@page import="com.dotmarketing.util.UUIDUtil"%>
+<%@page import="com.dotmarketing.util.Logger"%>
 <%@page import="com.liferay.util.Xss"%>
 <%@page import="javax.ws.rs.WebApplicationException"%>
 <%@page import="javax.ws.rs.core.Response"%>
@@ -12,17 +14,28 @@
 <%
     final String id = request.getParameter("id");
     if (!UtilMethods.isSet(id)) {
+        Logger.debug(this, "rules/include called with missing or empty 'id' parameter");
         throw new WebApplicationException(
             Response.status(Response.Status.BAD_REQUEST)
                 .entity("Missing or empty required parameter: id")
                 .build()
         );
     }
 
+    if (!UUIDUtil.isUUID(id)) {
+        Logger.debug(this, "rules/include called with invalid id format");
+        throw new WebApplicationException(
+            Response.status(Response.Status.BAD_REQUEST)
+                .entity("Invalid id format: " + Xss.encodeForHTML(id))
+                .build()
+        );
+    }
+
     Contentlet contentlet;
     try {
         contentlet = APILocator.getContentletAPI().findContentletByIdentifierAnyLanguage(id);
     } catch (final Exception e) {
+        Logger.debug(this, "rules/include - findContentletByIdentifierAnyLanguage failed for id=" + id, e);
         throw new WebApplicationException(
             Response.status(Response.Status.BAD_REQUEST)
                 .entity("Invalid id parameter: " + Xss.encodeForHTML(id))
@@ -31,6 +44,7 @@
     }
 
     if (contentlet == null || !UtilMethods.isSet(contentlet.getIdentifier())) {
+        Logger.debug(this, "rules/include - no contentlet found for id=" + id);
         throw new WebApplicationException(
             Response.status(Response.Status.NOT_FOUND)
                 .entity("No content found for id: " + Xss.encodeForHTML(id))

dotCMS/src/test/java/com/dotcms/rest/BaseRestPortletTest.java

@@ -106,6 +106,57 @@ public void getJspResponse_propagates404WhenJspThrowsWebApplicationException()
         }
     }
 
+    // -------------------------------------------------------------------------
+    // ServletException-wrapped WebApplicationException (real Jasper behaviour)
+    // -------------------------------------------------------------------------
+
+    @Test
+    public void getJspResponse_unwrapsWebApplicationExceptionFromServletException()
+            throws Exception {
+        final WebApplicationException root = new WebApplicationException(
+                Response.status(Response.Status.NOT_FOUND).entity("not found").build());
+        // Tomcat/Jasper wraps any throwable raised inside a JSP in a ServletException
+        // (specifically JasperException) before it reaches RequestDispatcher.include().
+        final javax.servlet.ServletException wrapped =
+                new javax.servlet.ServletException("jsp failed", root);
+        doThrow(wrapped).when(mockDispatcher).include(any(), any());
+
+        try {
+            getJspResponse.invoke(portlet, mockRequest, mockResponse, "rules", "include");
+            fail("Expected wrapped WebApplicationException to be unwrapped and re-thrown");
+        } catch (final InvocationTargetException e) {
+            assertTrue("Cause must be WebApplicationException",
+                    e.getCause() instanceof WebApplicationException);
+            assertEquals("HTTP status must be 404",
+                    Response.Status.NOT_FOUND.getStatusCode(),
+                    ((WebApplicationException) e.getCause()).getResponse().getStatus());
+        }
+    }
+
+    @Test
+    public void getJspResponse_unwrapsWebApplicationExceptionFromNestedCauseChain()
+            throws Exception {
+        final WebApplicationException root = new WebApplicationException(
+                Response.status(Response.Status.BAD_REQUEST).entity("bad id").build());
+        // Real Jasper wraps the JSP throwable; wrap again to simulate any extra layer
+        // (e.g. Jersey or filter-level wrappers) so the unwrap walks the full chain.
+        final javax.servlet.ServletException middle =
+                new javax.servlet.ServletException("jsp failed", root);
+        final RuntimeException outer = new RuntimeException("outer", middle);
+        doThrow(outer).when(mockDispatcher).include(any(), any());
+
+        try {
+            getJspResponse.invoke(portlet, mockRequest, mockResponse, "rules", "include");
+            fail("Expected nested WebApplicationException to be unwrapped and re-thrown");
+        } catch (final InvocationTargetException e) {
+            assertTrue("Cause must be WebApplicationException",
+                    e.getCause() instanceof WebApplicationException);
+            assertEquals("HTTP status must be 400",
+                    Response.Status.BAD_REQUEST.getStatusCode(),
+                    ((WebApplicationException) e.getCause()).getResponse().getStatus());
+        }
+    }
+
     // -------------------------------------------------------------------------
     // Ordinary exceptions → error HTML (existing behaviour preserved)
     // -------------------------------------------------------------------------