Details
-
Feature Request
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
-
None
-
Not defined
Description
Problem
Internal implementation details exposed to a REST consumer can be used to derive application internals leveraged for an attack. The current Optimize implementation returns currently a part of the specific exception/parts of the stack trace that can contain implementation details.
Goal
- [MH] All failed REST requests respond with a generic error string (e.g., "Request failed").
- [SH] Failed REST request respond with defined error codes to make it easier for the consumer to build compensations
Hint
- This behavior should be aligned with the other components.
- joshua.windels's Note: My understanding is that this could only be a problem for Jackson errors. The reason for this is likely to be that Jackson have default mappers registered that we don't override, which include the stack trace in the response. See more here: https://stackoverflow.com/a/45482110
Testing Notes:
- Make various requests to Optimize to trigger errors. Observe that no stack traces are observed in the error response