fix: return 400 for malformed JSON Patch pointers instead of 500 (#28316)

Client patches with paths missing the leading '/' (e.g., "displayName"
instead of "/displayName") triggered jakarta.json.JsonException from
JsonPointerImpl, which fell through the exception mapper and surfaced
as an unhandled 500 (and Sentry alert) on PATCH endpoints such as
ClassificationResource.

- JsonUtils.applyPatch now validates each operation's 'path' and 'from'
  upfront, throwing IllegalArgumentException with a clear RFC 6901
  message before the cryptic library exception fires.
- CatalogGenericExceptionMapper maps jakarta.json.JsonException to 400
  as defense in depth, covering other RFC 6902 violations (e.g.,
  out-of-range array index, replace on missing path) that were also
  returning 500.
- Added JsonUtilsTest cases for malformed 'path' and 'from' pointers.

Author: harshach

openmetadata-service/src/main/java/org/openmetadata/service/exception/CatalogGenericExceptionMapper.java

@@ -22,6 +22,7 @@
 import static jakarta.ws.rs.core.Response.Status.UNAUTHORIZED;
 
 import io.dropwizard.jersey.errors.ErrorMessage;
+import jakarta.json.JsonException;
 import jakarta.ws.rs.BadRequestException;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.ProcessingException;
@@ -49,6 +50,8 @@ public Response toResponse(Throwable ex) {
       return getRuleViolationResponse(ex);
     } else if (ex instanceof BadRequestException || ex instanceof IllegalArgumentException) {
       return getResponse(BAD_REQUEST, ex.getMessage());
+    } else if (ex instanceof JsonException) {
+      return getResponse(BAD_REQUEST, ex.getMessage());
     } else if (ex instanceof ProcessingException) {
       return getResponse(BAD_REQUEST, "Invalid request parameter");
     } else if (ex instanceof UnableToExecuteStatementException) {

openmetadata-service/src/test/java/org/openmetadata/service/util/JsonUtilsTest.java

@@ -21,10 +21,12 @@
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.JsonNode;
 import jakarta.json.Json;
+import jakarta.json.JsonArray;
 import jakarta.json.JsonArrayBuilder;
 import jakarta.json.JsonException;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonObjectBuilder;
+import jakarta.json.JsonPatch;
 import jakarta.json.JsonPatchBuilder;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -117,6 +119,54 @@ void applyPatch() {
     assertTrue(jsonException.getMessage().contains("An array item index is out of range"));
   }
 
+  @Test
+  void applyPatchRejectsMalformedJsonPointerPath() {
+    JsonObjectBuilder teamJson = Json.createObjectBuilder();
+    teamJson.add("id", UUID.randomUUID().toString()).add("name", "finance");
+    Team original = JsonUtils.readValue(teamJson.build().toString(), Team.class);
+
+    JsonArray malformedPatch =
+        Json.createArrayBuilder()
+            .add(
+                Json.createObjectBuilder()
+                    .add("op", "replace")
+                    .add("path", "displayName")
+                    .add("value", "Finance Team"))
+            .build();
+    JsonPatch patch = Json.createPatch(malformedPatch);
+
+    IllegalArgumentException ex =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> JsonUtils.applyPatch(original, patch, Team.class));
+    assertTrue(ex.getMessage().contains("displayName"));
+    assertTrue(ex.getMessage().contains("must begin with '/'"));
+  }
+
+  @Test
+  void applyPatchRejectsMalformedFromPointer() {
+    JsonObjectBuilder teamJson = Json.createObjectBuilder();
+    teamJson.add("id", UUID.randomUUID().toString()).add("name", "finance");
+    Team original = JsonUtils.readValue(teamJson.build().toString(), Team.class);
+
+    JsonArray malformedPatch =
+        Json.createArrayBuilder()
+            .add(
+                Json.createObjectBuilder()
+                    .add("op", "move")
+                    .add("from", "name")
+                    .add("path", "/displayName"))
+            .build();
+    JsonPatch patch = Json.createPatch(malformedPatch);
+
+    IllegalArgumentException ex =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> JsonUtils.applyPatch(original, patch, Team.class));
+    assertTrue(ex.getMessage().contains("from"));
+    assertTrue(ex.getMessage().contains("must begin with '/'"));
+  }
+
   @Test
   void testReadValuePassingTypeReference() {
     Map<String, String> expectedMap = Map.of("key1", "value1", "key2", "value2");

openmetadata-spec/src/main/java/org/openmetadata/schema/utils/JsonUtils.java

@@ -335,6 +335,8 @@ public static JsonValue applyPatch(Object original, JsonPatch patch) {
         continue;
       }
 
+      validateJsonPointer(path, "path");
+
       // Skip operations on read-only auto-generated fields
       if (isReadOnlyPatchPath(path)) {
         continue;
@@ -343,6 +345,9 @@ public static JsonValue applyPatch(Object original, JsonPatch patch) {
       // For copy/move operations, also check the 'from' field if present
       if (jsonObject.containsKey("from")) {
         String from = jsonObject.getString("from", null);
+        if (from != null) {
+          validateJsonPointer(from, "from");
+        }
         if (isReadOnlyPatchPath(from)) {
           continue;
         }
@@ -366,6 +371,15 @@ public static JsonValue applyPatch(Object original, JsonPatch patch) {
     return currentJson;
   }
 
+  private static void validateJsonPointer(String pointer, String fieldName) {
+    if (!pointer.isEmpty() && pointer.charAt(0) != '/') {
+      throw new IllegalArgumentException(
+          String.format(
+              "Invalid JSON Patch '%s' value '%s' - non-empty JSON Pointer must begin with '/' (RFC 6901)",
+              fieldName, pointer));
+    }
+  }
+
   private static boolean isReadOnlyPatchPath(String path) {
     if (path == null || path.isBlank()) {
       return false;