Exclude sensitive info from the jackson serialization stacktraces (#3195

)

If Jackson can't parse JSON body it throws `IOException` which contains
the whole request body including hashes, passwords and so on. This
property was added in 2.9 version, so the body will be excluded from
logs. Instead, Jackson adds `UNKNOWN` for the source and provides the
property name it can't parse.

Signed-off-by: Andrey Pleskach <[email protected]>

src/main/java/org/opensearch/security/DefaultObjectMapper.java

@@ -57,6 +57,10 @@ public class DefaultObjectMapper {
 
     static {
         objectMapper.setSerializationInclusion(Include.NON_NULL);
+        // exclude sensitive information from the request body,
+        // if jackson cant parse the entity, e.g. passwords, hashes and so on,
+        // but provides which property is unknown
+        objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         // objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
         objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION);
         defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);