Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Hide technical details in answer but log them

See original GitHub issue

Detailed Description

In 2021, this is the second time that an external company specializing in security is reporting during a pentest a security breach because the REST API response includes technical details. Both Spring Boot applications are using the problem-spring-web-starter module with no particular configuration.

Context

In our GET API, a wrong date 2021-13-16 (month at 13) is passed as query param. The handleTypeMismatch method of the TypeMismatchAdviceTrait class is invoked. A hacker can guess the technical stack: Java, Spring Framework, Bean Validation and Swagger in the case bellow.

{
  "title": "Bad Request",
  "status": 400,
  "detail": "Failed to convert value of type 'java.lang.String' to required type 'java.time.LocalDate'; nested exception is org.springframework.core.convert.ConversionFailedException: Failed to convert from type [java.lang.String] to type [@io.swagger.annotations.ApiParam @javax.validation.Valid @org.springframework.web.bind.annotation.RequestParam @org.springframework.format.annotation.DateTimeFormat java.time.LocalDate] for value '2021-13-16'; nested exception is java.lang.IllegalArgumentException: Parse attempt failed for value [2021-13-16]"
}

Possible Implementation

We woud like to have the possibility either to mask class or packages names in the details message that is returned to the client or to use a generic tehnical message.

We have to keep the real technical details in the ERROR log (AdviceTraits::log)

Other way: maybe using an overridable method to build the problem body on demand?

ResponseEntity
        .status(status)
        .headers(headers)
        .contentType(contentType)
        .body(problem))

Your Environment

  • Problem version used: 0.26.2
  • Spring Boot version : 2.5.2

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:8

github_iconTop GitHub Comments

1reaction
areycommented, Dec 17, 2021

Yes I see that. Thank you for the tipis. So I quickly fixed my issue with the code below (without this we got a nogo in production):

    @Override
    public ProblemBuilder prepare(final Throwable throwable, final StatusType status, final URI type) {
        BusinessException businessException = ExceptionUtils.throwableOfType(throwable, BusinessException.class);
        String detail = (businessException != null) ? businessException.getMessage() : "Technical error";
        return Problem.builder()
            .withType(type)
            .withTitle(status.getReasonPhrase())
            .withStatus(status)
            .withDetail(detail)
            .withCause(Optional.ofNullable(throwable.getCause())
                .filter(cause -> isCausalChainsEnabled())
                .map(this::toProblem)
                .orElse(null));
    }

I don’t know if I am the only developer having this kind of security problem? How do you handle it?

0reactions
HJK181commented, May 6, 2022

Hi @arey Thanks for your response. Meanwhile, I debugged a little bit more and I think my problem is caused by @DateTimeFormat(iso = ISO.DATE) annotation of my DTO this causes

org.springframework.core.convert.ConversionFailedException: Failed to conv'
ert from type [java.lang.String] to type [@org.springframework.format.annotation.Da'
teTimeFormat java.time.LocalDate]

This exception gets handled by MethodArgumentNotValidAdviceTrait that created a newConstraintViolationProblem and in that flow the prepare method is not called. Guess I could try to add an @ExceptionHandler for ConversionFailedException and discard the Violation message there.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to hide technical info ( number) of a selected set in result ...
Hi,. with standard you can not hide the details since through these values system do the valuation. The texts are for reference. But...
Read more >
Hide or Unhide worksheets - Microsoft Support
To hide the sheet, select Hide. To unhide hidden sheets, select them in the Unhide dialog that appears, and then select OK. The...
Read more >
php hide ALL errors - Stack Overflow
I've tried using the .htacess by putting the code php_flag display_errors off in there, but it returns me a 500 error . Are...
Read more >
How private browsing works in Chrome - Android - Google Help
When you browse privately, other people who use the device won't see your history. Chrome doesn't save your browsing history or information entered...
Read more >
What options can I set in a quiz? - Canvas Community
Set Quiz Options · To show answers immediately after quiz is submitted, leave the Show and Hide fields blank. · To create a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Problem should override equals and hashcode

Next page

Fails to work with Spring Security after upgrading to Spring Boot 2.5