For me, sanitization is essentially to hide all the plumbing, and only keep my own user code on the surface, so that I know where in my code it started failing. So I tend to want more sanitization than less :-)
On Thu, Jun 23, 2022 at 3:29 AM Paul King <pa...@asert.com.au> wrote: > Hi folks, > > We've had a recent PR to add "jdk.internal" to the list of packages we > remove when sanitizing stacktraces: > > https://github.com/apache/groovy/pull/1727 > > We've also had a much earlier request to filter less aggressively, see: > > https://github.com/apache/groovy/pull/256 > https://issues.apache.org/jira/browse/GROOVY-7756 > > PR#1727 looks good to me but it seems worthwhile to consider both > requests if we are going to make a change. > > Current list: groovy., org.codehaus.groovy., java., javax., sun., > gjdk.groovy. > Suggested by #1727: groovy., org.codehaus.groovy., java., javax., > sun., gjdk.groovy., jdk.internal > Suggested by #256: groovy., org.codehaus.groovy., java.lang.reflect., > sun.reflect., gjdk.groovy. > > If we were going to include (most of) "java", then there is an > argument that you should include "groovy" as well. My current thinking > is something like below might work: > > Suggestion: org.codehaus.groovy., org.apache.groovy, > java.lang.reflect, sun., gjdk.groovy., jdk.internal. > > The original thinking behind excluding "java." was that if you had a > script with e.g. Strings and Lists, you didn't really need to know > whether you had Java implemented data types or something supplied by > Groovy. While this is still a worthwhile goal, in reality most folks > need to know those datatypes pretty quickly, so hiding them away isn't > super beneficial. > > I also discovered that Grails uses a list something like this: > "org.codehaus.groovy.runtime.", "org.codehaus.groovy.reflection.", > "org.codehaus.groovy.ast.", > "org.springframework.web.filter", "org.springframework.boot.actuate", > "org.mortbay.", > "groovy.lang.", "org.apache.catalina.", "org.apache.coyote.", > "org.apache.tomcat.", > "net.sf.cglib.proxy.", "sun.", "java.lang.reflect.", > "org.springframework.boot.devtools.", > "org.springsource.loaded.", "com.opensymphony.", "javax.servlet." > > In terms of branches, I was thinking of Groovy 5 only and probably > back-ported to 4. > > And just a reminder, there is a "groovy.sanitized.stacktraces" system > property, so folks can change this if they really want. > > What do others think? > > Cheers, Paul. > -- Guillaume Laforge Apache Groovy committer Developer Advocate @ Google Cloud Platform Blog: http://glaforge.appspot.com/ Twitter: @glaforge <http://twitter.com/glaforge>
