[Backport 2.x] Exclude sensitive info from the jackson serialization …

…stacktraces (#3198) Backport 0d915e2 from #3195. Signed-off-by: Andrey Pleskach <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-project · Aug 16, 2023 · 25cf45a · 25cf45a
1 parent 5fa0032
commit 25cf45a
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/main/java/org/opensearch/security/DefaultObjectMapper.java b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
@@ -57,6 +57,10 @@ public class DefaultObjectMapper {
 
     static {
         objectMapper.setSerializationInclusion(Include.NON_NULL);
+        // exclude sensitive information from the request body,
+        // if jackson cant parse the entity, e.g. passwords, hashes and so on,
+        // but provides which property is unknown
+        objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         // objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
         objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION);
         defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);