Re: [PR] KNOX-3039 Add error message sanitization to GatewayServlet [knox]

via GitHub Tue, 04 Jun 2024 07:25:44 -0700


moresandeep commented on code in PR #914:
URL: https://github.com/apache/knox/pull/914#discussion_r1626113580



##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -277,4 +278,34 @@ public Enumeration<String> getInitParameterNames() {
       return config.getInitParameterNames();
     }
   }
+
+  private Exception sanitizeException(Exception e) {
+    if (e == null || e.getMessage() == null) {
+      return e;
+    }
+    if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
+      return e;
+    }
+    String sanitizedMessage = 
e.getMessage().replaceAll("\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b", "[hidden]");
+    return createNewException(e, sanitizedMessage);

Review Comment:
   Suggestion: Instead of `createNewException` function we can perhaps create a 
SanatizedKnoxException class that does sanitizing and logging and we can then 
wrap original exception with this new SanatizedKnoxException. So less code 
changes in the original class and logic can be changed later without touching 
these classes. 



##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -277,4 +278,34 @@ public Enumeration<String> getInitParameterNames() {
       return config.getInitParameterNames();
     }
   }
+
+  private Exception sanitizeException(Exception e) {
+    if (e == null || e.getMessage() == null) {
+      return e;
+    }
+    if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
+      return e;
+    }
+    String sanitizedMessage = 
e.getMessage().replaceAll("\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b", "[hidden]");
+    return createNewException(e, sanitizedMessage);

Review Comment:
   We need to log the original error in gateway logs else it would be difficult 
to debug.



##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -277,4 +278,34 @@ public Enumeration<String> getInitParameterNames() {
       return config.getInitParameterNames();
     }
   }
+
+  private Exception sanitizeException(Exception e) {
+    if (e == null || e.getMessage() == null) {
+      return e;
+    }
+    if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
+      return e;
+    }
+    String sanitizedMessage = 
e.getMessage().replaceAll("\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b", "[hidden]");

Review Comment:
   Suggestion: It would be good to create a variable for the pattern. 
   Also, what does this expression catch? I am assuming IP address. It would be 
cool if we can create a gateway attribute variable like 
`isErrorMessageSanitizationEnabled` so users can specify custom regex in case 
they want to override. In which case a List of pattens would be nice to have!



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] KNOX-3039 Add error message sanitization to GatewayServlet [knox]

Reply via email to