Harden parseErrorCodeFromS3 to never throw on non-XML responses (apple#12986) (apple#12996)

saintstack · web-flow · commit 86ab72ef0cb6 · 2026-04-20T16:44:30.000-07:00
Return "" instead of throwing on parse failures since many HTTP error responses (502/503 HTML pages, empty bodies) are not XML. Remove unused backup_parse_s3_response_failure error code. Fix const-ref parameter and add unit tests. (cherry picked from commit 7388f54)
diff --git a/fdbclient/S3BlobStore.actor.cpp b/fdbclient/S3BlobStore.actor.cpp
@@ -899,32 +899,34 @@ std::string awsCanonicalURI(const std::string& resource, std::vector<std::string
 }
 
 // ref: https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
-std::string parseErrorCodeFromS3(std::string xmlResponse) {
-	// Copy XML string to a modifiable buffer
+// Returns the S3 error code string from an XML error response, or "" if the response
+// cannot be parsed. This is best-effort for logging/diagnostics only — many HTTP error
+// responses (502/503 from load balancers, empty bodies, HTML responses) are not XML.
+std::string parseErrorCodeFromS3(const std::string& response) {
+	if (response.empty()) {
+		return "";
+	}
 	try {
-		std::vector<char> xmlBuffer(xmlResponse.begin(), xmlResponse.end());
-		xmlBuffer.push_back('\0'); // Ensure null-terminated string
-		// Parse the XML
+		std::vector<char> xmlBuffer(response.begin(), response.end());
+		xmlBuffer.push_back('\0');
 		xml_document<> doc;
 		doc.parse<0>(&xmlBuffer[0]);
-		// Find the root node
 		xml_node<>* root = doc.first_node("Error");
 		if (!root) {
-			TraceEvent(SevWarn, "ParseS3XMLResponseNoError").detail("Response", xmlResponse).log();
 			return "";
 		}
-		// Find the <Code> node
 		xml_node<>* codeNode = root->first_node("Code");
 		if (!codeNode) {
-			TraceEvent(SevWarn, "ParseS3XMLResponseNoErrorCode").detail("Response", xmlResponse).log();
 			return "";
 		}
 		return std::string(codeNode->value());
-	} catch (Error e) {
-		TraceEvent("BackupParseS3ErrorCodeFailure").errorUnsuppressed(e);
-		throw backup_parse_s3_response_failure();
 	} catch (...) {
-		throw backup_parse_s3_response_failure();
+		// Parse failures are expected for non-XML responses (HTML error pages, empty bodies, etc.)
+		TraceEvent("ParseS3ErrorCodeNonXML")
+		    .suppressFor(60)
+		    .detail("ResponseSize", response.size())
+		    .detail("ResponseHead", response.substr(0, 200));
+		return "";
 	}
 }
 
@@ -2420,3 +2422,66 @@ TEST_CASE("/backup/s3/guess_region") {
 	}
 	return Void();
 }
+
+TEST_CASE("/backup/s3/parseErrorCodeFromS3") {
+	// Valid S3 error XML — should extract the error code
+	{
+		std::string xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+		                  "<Error><Code>AccessDenied</Code>"
+		                  "<Message>Access Denied</Message></Error>";
+		ASSERT(parseErrorCodeFromS3(xml) == "AccessDenied");
+	}
+
+	// InvalidToken error
+	{
+		std::string xml = "<Error><Code>InvalidToken</Code>"
+		                  "<Message>The provided token is malformed or otherwise invalid.</Message></Error>";
+		ASSERT(parseErrorCodeFromS3(xml) == "InvalidToken");
+	}
+
+	// ExpiredToken error
+	{
+		std::string xml = "<Error><Code>ExpiredToken</Code><Message>Token expired</Message></Error>";
+		ASSERT(parseErrorCodeFromS3(xml) == "ExpiredToken");
+	}
+
+	// Missing <Code> node — should return ""
+	{
+		std::string xml = "<Error><Message>Something went wrong</Message></Error>";
+		ASSERT(parseErrorCodeFromS3(xml) == "");
+	}
+
+	// No <Error> root — should return ""
+	{
+		std::string xml = "<ListBucketResult><Name>bucket</Name></ListBucketResult>";
+		ASSERT(parseErrorCodeFromS3(xml) == "");
+	}
+
+	// Empty response — should return ""
+	{
+		ASSERT(parseErrorCodeFromS3("") == "");
+	}
+
+	// HTML error page from load balancer (502/503) — should return "", not throw
+	{
+		std::string html = "<html><body><h1>502 Bad Gateway</h1></body></html>";
+		ASSERT(parseErrorCodeFromS3(html) == "");
+	}
+
+	// Completely invalid / garbage — should return "", not throw
+	{
+		ASSERT(parseErrorCodeFromS3("not xml at all {{{") == "");
+	}
+
+	// Partial XML — should return "", not throw
+	{
+		ASSERT(parseErrorCodeFromS3("<Error><Code>Incomple") == "");
+	}
+
+	// Plain text error — should return "", not throw
+	{
+		ASSERT(parseErrorCodeFromS3("Internal Server Error") == "");
+	}
+
+	return Void();
+}
diff --git a/flow/include/flow/error_definitions.h b/flow/include/flow/error_definitions.h
@@ -352,7 +352,6 @@ ERROR( backup_does_not_exist, 2319, "Backup does not exist")
 ERROR( backup_not_filterable_with_key_ranges, 2320, "Backup before 6.3 cannot be filtered with key ranges")
 ERROR( backup_not_overlapped_with_keys_filter, 2321, "Backup key ranges doesn't overlap with key ranges filter")
 ERROR( bucket_not_in_url, 2322, "bucket is not in the URL for backup" )
-ERROR( backup_parse_s3_response_failure, 2323, "cannot parse s3 response properly" )
 ERROR( restore_invalid_version, 2361, "Invalid restore version")
 ERROR( restore_corrupted_data, 2362, "Corrupted backup data")
 ERROR( restore_missing_data, 2363, "Missing backup data")
