Skip to content
Home » Handling Errors on API services exposed in a Sitecore website

Handling Errors on API services exposed in a Sitecore website

Recently, I encountered issues with the API exposed on a Sitecore website. The site offers several public API services (for example, to subscribe to a newsletter, [website url]/api/sitecore/newsletter/subscribe). The problem is that several attacks exist on those public API. In this case, someone is calling the public API without the required input parameters, attempting to identify vulnerabilities and access the business logic.

Below is an example for this scenario. 

//This is the API service /api/sitecore/newsletter/subscribe
public class NewsletterController
{
public ActionResult Subscribe(int newsletterId, string email, string redirectId)
{
//logic for Subscribe method
}
}

The Subscribe method needs the required input parameter newsletterId. That parameter is not nullable, and when the service is called without it, it throws the exception “The parameters dictionary contains a null entry for parameter newsletterId.”

The problem here is where or how to capture that exception. The code inside this method is not executed.

Thanks to Jitendra Ghanekar, who explains the usage of ActionFilters in the MVC and Sitecore world in the video (https://www.youtube.com/watch?app=desktop&v=V5J6muh6nzA), I found the solution.

It is needed to implement a custom attribute that inherits from the HandleErrorAttribute class. For example, capture this specific exception related to a missing input parameter and redirect to another page such as 404 on the website.

using System.Web.Mvc;

public class HandleErrorCustomAttribute : HandleErrorAttribute
{
    public override void OnException(ExceptionContext filterContext)
    {
        //Check if the exception occurs because of a missing input parameter
        if (filterContext.Exception.Message.Contains("The parameters dictionary contains a null entry for parameter"))
        {
            //Implement a custom logic. In my case I redirect to a 404 page
            filterContext.Result = new RedirectResult("/404");
            filterContext.ExceptionHandled = true;
        }
        else
        {
            base.OnException(filterContext);
        }
    }
}

After that, add the custom attribute to the API service method.

public class NewsletterController
{
[HandleErrorCustom]
public ActionResult Subscribe(int newsletterId, string email, string redirectId)
{
//logic for Subscribe method
}
}

To verify the fix. In Postman, I called the API service without input parameters, and a 404 page was displayed.

Finally, we also have the possibility to override the following methods to intercept method controller actions before or after the execution:

  • OnActionExecuting – Called before a controller action is executed
  • OnActionExecuted – Called after a controller action is executed
  • OnResultExecuting – Called before a controller action result is executed
  • OnResultExecuted – Called after a controller action result is executed.

See you next time, folks!!!