Skip to content

Commit

Permalink
Prevent raw request body as output in serialization error messages (#…
Browse files Browse the repository at this point in the history
…3205)

Excluded sensitive info for java stacktrace:
- YAML object mapper as well
- NonValidatingObjectMapper
- defaulOmittingObjectMapper

More details see
https://github.com/FasterXML/jackson-core/wiki/JsonParser-Features#misc-other

Signed-off-by: Andrey Pleskach <[email protected]>
  • Loading branch information
willyborankin authored Aug 31, 2023
1 parent a4f8f03 commit 9fb106c
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ public class DefaultObjectMapper {
// if jackson cant parse the entity, e.g. passwords, hashes and so on,
// but provides which property is unknown
objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
defaulOmittingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
YAML_MAPPER.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
// objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION);
defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ public class NonValidatingObjectMapper {
private static final ObjectMapper nonValidatingObjectMapper = new ObjectMapper();

static {
nonValidatingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
nonValidatingObjectMapper.setSerializationInclusion(Include.NON_NULL);
nonValidatingObjectMapper.configure(JsonParser.Feature.STRICT_DUPLICATE_DETECTION, false);
nonValidatingObjectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
Expand All @@ -65,12 +66,7 @@ public static <T> T readValue(String string, JavaType jt) throws IOException {
}

try {
return AccessController.doPrivileged(new PrivilegedExceptionAction<T>() {
@Override
public T run() throws Exception {
return nonValidatingObjectMapper.readValue(string, jt);
}
});
return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> nonValidatingObjectMapper.readValue(string, jt));
} catch (final PrivilegedActionException e) {
throw (IOException) e.getCause();
}
Expand Down

0 comments on commit 9fb106c

Please sign in to comment.