Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent raw request body as output in serialization error messages #3205

Merged
merged 1 commit into from
Aug 31, 2023
Merged

Prevent raw request body as output in serialization error messages #3205

merged 1 commit into from
Aug 31, 2023

Conversation

willyborankin
Copy link
Collaborator

@willyborankin willyborankin commented Aug 19, 2023
edited by peternied
Loading

Description

Same as #3195.

Excluded sensitive info for java stacktrace:

  • YAML object mapper as well
  • NonValidatingObjectMapper
  • defaulOmittingObjectMapper

More details see https://github.com/FasterXML/jackson-core/wiki/JsonParser-Features#misc-other

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@willyborankin willyborankin force-pushed the exlude-sesitive-info-from-stacktrace-yaml branch from 4de3e40 to e1293a5 Compare August 19, 2023 19:36
@codecov
Copy link

codecov bot commented Aug 19, 2023
edited
Loading

Codecov Report

Merging #3205 (60ebb30) into main (37639cd) will increase coverage by 0.02%.
Report is 20 commits behind head on main.
The diff coverage is 75.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##               main    #3205      +/-   ##
============================================
+ Coverage     62.46%   62.49%   +0.02%     
- Complexity     3353     3354       +1     
============================================
  Files           254      254              
  Lines         19748    19750       +2     
  Branches       3334     3334              
============================================
+ Hits          12335    12342       +7     
+ Misses         5783     5778       -5     
  Partials       1630     1630
Files Changed Coverage Δ
...opensearch/security/NonValidatingObjectMapper.java 52.94% <50.00%> (+5.88%) ⬆️
...a/org/opensearch/security/DefaultObjectMapper.java 65.43% <100.00%> (+0.87%) ⬆️

... and 2 files with indirect coverage changes

@willyborankin willyborankin force-pushed the exlude-sesitive-info-from-stacktrace-yaml branch 2 times, most recently from d173987 to 07a9c4d Compare August 19, 2023 19:47
@willyborankin willyborankin added the backport 2.x backport to 2.x branch label Aug 19, 2023
@willyborankin willyborankin changed the title Exclude sensitive info in case YAML serialization fails Exclude sensitive info for YAML ojbect mapper and NonValidatingObjectMapper Aug 19, 2023
@willyborankin willyborankin changed the title Exclude sensitive info for YAML ojbect mapper and NonValidatingObjectMapper Exclude sensitive info for YAML object mapper and NonValidatingObjectMapper Aug 20, 2023
@willyborankin
Exclude sensitive info
60ebb30 
Excluded sensitive info from java stacktrace for:
- YAML object mapper as well
- NonValidatingObjectMapper
- defaulOmittingObjectMapper

Signed-off-by: Andrey Pleskach <ples@aiven.io>
@willyborankin willyborankin force-pushed the exlude-sesitive-info-from-stacktrace-yaml branch from 07a9c4d to 60ebb30 Compare August 21, 2023 13:57
@willyborankin willyborankin changed the title Exclude sensitive info for YAML object mapper and NonValidatingObjectMapper Exclude sensitive info for YAML object mapper, defaulOmittingObjectMapper and NonValidatingObjectMapper Aug 21, 2023
@peternied peternied changed the title Exclude sensitive info for YAML object mapper, defaulOmittingObjectMapper and NonValidatingObjectMapper Prevent sensitive info in exception messages Aug 28, 2023
@peternied peternied changed the title Prevent sensitive info in exception messages Prevent raw request body as output in serialization error messages Aug 28, 2023
@willyborankin willyborankin added the v2.10.0 Issues targeting release v2.10.0 label Aug 29, 2023
@peternied
Copy link
Member

codecov/project Failing after 1s — 62.44% (-0.03%) compared to 37639cd

I'm going to ignore this check because the following checks are all clear a far as I am concerned

codecov/patch — 75.00% of diff hit (target 62.46%)
codecov/project/inconsistent-coverage-files — 69.67% (+0.40%) compared to 37639cd
codecov/project/plugin — 62.11% (+0.00%) compared to 37639cd

@peternied peternied merged commit 9fb106c into opensearch-project:main Aug 31, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Aug 31, 2023
@github-actions
Prevent raw request body as output in serialization error messages (#…
53e13f6 
…3205)

Excluded sensitive info for java stacktrace:
- YAML object mapper as well
- NonValidatingObjectMapper
- defaulOmittingObjectMapper

More details see
https://github.com/FasterXML/jackson-core/wiki/JsonParser-Features#misc-other

Signed-off-by: Andrey Pleskach <ples@aiven.io>
(cherry picked from commit 9fb106c)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Aug 31, 2023
Merged
peternied pushed a commit that referenced this pull request Sep 1, 2023
@opensearch-trigger-bot @github-actions
[Backport 2.x] Prevent raw request body as output in serialization er…
d8a30d4 
…ror messages (#3279)

Backport 9fb106c from #3205.

Signed-off-by: Andrey Pleskach <ples@aiven.io>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternied peternied peternied approved these changes

@DarshitChanpura DarshitChanpura DarshitChanpura left review comments

@cwperks cwperks cwperks approved these changes

@stephen-crawford stephen-crawford stephen-crawford approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@davidlago davidlago Awaiting requested review from davidlago

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

Assignees
No one assigned
Labels
backport 2.x backport to 2.x branch v2.10.0 Issues targeting release v2.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@willyborankin @peternied @cwperks @DarshitChanpura @stephen-crawford