From fce75526a490da34440c6ec63815f6ebfa235114 Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Wed, 16 Aug 2023 16:48:19 +0200 Subject: [PATCH] Exclude sensitive info from the stacktrace If Jackson can't parse JSON body it throws IOException which contains the whole request body including hashes, passwords and so on. This property was added in 2.9 version, so the body will be excluded from logs. Instead, Jackson adds UNKNOWN for body and provide the property name it can't parse. Signed-off-by: Andrey Pleskach --- .../java/org/opensearch/security/DefaultObjectMapper.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main/java/org/opensearch/security/DefaultObjectMapper.java b/src/main/java/org/opensearch/security/DefaultObjectMapper.java index fb3385629b..64bcd95fc5 100644 --- a/src/main/java/org/opensearch/security/DefaultObjectMapper.java +++ b/src/main/java/org/opensearch/security/DefaultObjectMapper.java @@ -57,6 +57,10 @@ public class DefaultObjectMapper { static { objectMapper.setSerializationInclusion(Include.NON_NULL); + // exclude sensitive information from the request body, + // if jackson cant parse the entity, e.g. passwords, hashes and so on, + // but provides which property is unknown + objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION); // objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS); objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION); defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);