potiuk commented on code in PR #58209:
URL: https://github.com/apache/airflow/pull/58209#discussion_r2529933161
##########
airflow-core/src/airflow/api_fastapi/execution_api/app.py:
##########
@@ -218,7 +218,7 @@ def custom_generate_unique_id(route: APIRoute):
@app.exception_handler(Exception)
def handle_exceptions(request: Request, exc: Exception):
logger.exception("Handle died with an error", exc_info=(type(exc),
exc, exc.__traceback__))
- content = {"message": "Internal server error"}
+ content = {"message": "Internal server error", "details": str(exc) or
""}
Review Comment:
This should not happen. This potentially leaks security related information
and makes it easier for potentia attackers to design more sophisticated ways of
attacking the system. The default we are following in Airflow is that the
information returned to the API user should **at most** contain a corellation
id so that if they search for more details and have access to the logs they can
search for the information. We already have it in other places (you can look it
up) - but the right way to do it is to generate a UUID (ideally one that
contains timestamp and machine -related component) and print it in both - log
and information returned to the user, including information that if they look
for specific log, they can use that UUID.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
