Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider not exposing exception error attribute by default #7872

Closed
vpavic opened this issue Jan 4, 2017 · 2 comments
Closed

Consider not exposing exception error attribute by default #7872

vpavic opened this issue Jan 4, 2017 · 2 comments
Labels
status: superseded An issue that has been superseded by another

Comments

@vpavic
Copy link
Contributor

vpavic commented Jan 4, 2017

By default, ErrorAttributes will expose exception attribute which can be considered information leakage similarly to #4730. IMO the exception attribute shouldn't be included by default but rather only using a mechanism similar to one used to include trace attribute.

To clarify using a sample:

@RestController
class AppController {

        @GetMapping("/")
        String home() {
                throw new RuntimeException("Sample error message")
        }

}

Running this with Spring Boot CLI and hitting the home handler will yield:

HTTP/1.1 500 
Connection: close
Content-Type: application/json;charset=UTF-8
Date: Wed, 04 Jan 2017 16:34:22 GMT
Transfer-Encoding: chunked

{
    "error": "Internal Server Error", 
    "exception": "java.lang.RuntimeException", 
    "message": "Sample error message", 
    "path": "/", 
    "status": 500, 
    "timestamp": 1483547662254
}
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 4, 2017
@philwebb philwebb added for: team-attention An issue we'd like other members of the team to review priority: normal type: enhancement A general enhancement and removed for: team-attention An issue we'd like other members of the team to review status: waiting-for-triage An issue we've not yet triaged labels Jan 4, 2017
@philwebb
Copy link
Member

It would nice to provide an easy way to do this, but it should be possible already by using your own ErrorAttributes implementation.

@vpavic vpavic mentioned this issue Apr 21, 2017
Closed
@snicoll
Copy link
Member

snicoll commented Apr 22, 2017
edited
Loading

Closing in favour of PR #8971

@snicoll snicoll closed this as completed Apr 22, 2017
@snicoll snicoll added status: duplicate A duplicate of another issue and removed priority: normal type: enhancement A general enhancement labels Apr 22, 2017
snicoll added a commit that referenced this issue Apr 27, 2017
@snicoll
Merge pull request #8971 from vpavic:gh-7872
7b0645f 
* pr/8971:
  Polish "Do not expose `exception` error attribute by default"
  Do not expose `exception` error attribute by default
@philwebb philwebb added status: superseded An issue that has been superseded by another and removed status: duplicate A duplicate of another issue labels Sep 11, 2018
@vpavic vpavic mentioned this issue Aug 20, 2019
Closed
@vpavic vpavic mentioned this issue Oct 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: superseded An issue that has been superseded by another
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't expose exception error attribute by default vpavic/spring-boot
4 participants
@snicoll @philwebb @vpavic @spring-projects-issues