Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-6715

REST interfaces not exposing implementation details

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • 3.10.0-alpha4, 3.9.4
    • None
    • None
    • None
    • Not defined

      Problem

      Internal implementation details exposed to a REST consumer can be used to derive application internals leveraged for an attack. The current Optimize implementation returns currently a part of the specific exception/parts of the stack trace that can contain implementation details.

      Goal

      • [MH] All failed REST requests respond with a generic error string (e.g., "Request failed").
      • [SH] Failed REST request respond with defined error codes to make it easier for the consumer to build compensations

      Hint

      • This behavior should be aligned with the other components.
      • joshua.windels's Note: My understanding is that this could only be a problem for Jackson errors. The reason for this is likely to be that Jackson have default mappers registered that we don't override, which include the stack trace in the response. See more here: https://stackoverflow.com/a/45482110

      Testing Notes:

      • Make various requests to Optimize to trigger errors. Observe that no stack traces are observed in the error response

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              tobias.conz Tobias Conz
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: