From 219d138b92508be3c93deec67801e4a4b401262e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 16 Aug 2023 21:36:27 +0000 Subject: [PATCH] Exclude sensitive info from the jackson serialization stacktraces (#3195) If Jackson can't parse JSON body it throws `IOException` which contains the whole request body including hashes, passwords and so on. This property was added in 2.9 version, so the body will be excluded from logs. Instead, Jackson adds `UNKNOWN` for the source and provides the property name it can't parse. Signed-off-by: Andrey Pleskach (cherry picked from commit 0d915e24cf16913f01d7d97a9a007c99b39bc2ed) Signed-off-by: github-actions[bot] --- .../java/org/opensearch/security/DefaultObjectMapper.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main/java/org/opensearch/security/DefaultObjectMapper.java b/src/main/java/org/opensearch/security/DefaultObjectMapper.java index fb3385629b..64bcd95fc5 100644 --- a/src/main/java/org/opensearch/security/DefaultObjectMapper.java +++ b/src/main/java/org/opensearch/security/DefaultObjectMapper.java @@ -57,6 +57,10 @@ public class DefaultObjectMapper { static { objectMapper.setSerializationInclusion(Include.NON_NULL); + // exclude sensitive information from the request body, + // if jackson cant parse the entity, e.g. passwords, hashes and so on, + // but provides which property is unknown + objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION); // objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS); objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION); defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);