[jira] [Created] (ZEPPELIN-5375) Stack traces exposed in REST API

Joris Gillis (Jira) Tue, 18 May 2021 07:55:10 -0700

Joris Gillis created ZEPPELIN-5375:
--------------------------------------

             Summary: Stack traces exposed in REST API
                 Key: ZEPPELIN-5375
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-5375
             Project: Zeppelin
          Issue Type: Bug
    Affects Versions: 0.9.0
            Reporter: Joris Gillis



When an error occurs in Zeppelin after a REST call is made, a stack trace is 
returned. While this can be very useful during debugging, it would be nice to 
be able to switch it off in production. (See also: 
[https://security.stackexchange.com/questions/19130/is-a-stack-trace-of-a-server-application-a-vulnerability).]

 

For example, if you create a new notebook, a POST call is sent to the Zeppelin 
backend (/api/notebook). If that request is replayed after a first successful 
run, the result is:
{code:java}
{"exception":"IOException","message":"java.io.IOException: Note \u0027/A new 
notebook\u0027 existed","stacktrace":"java.io.IOException: java.io.IOException: 
Note \u0027/A new notebook\u0027 existed\n\tat 
org.apache.zeppelin.rest.AbstractRestApi$RestServiceCallback.onFailure(AbstractRestApi.java:54)\n\tat
 
org.apache.zeppelin.service.NotebookService.createNote(NotebookService.java:169)\n\tat
 
org.apache.zeppelin.rest.NotebookRestApi.createNote(NotebookRestApi.java:392)\n\tat
 sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat
 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat
 java.lang.reflect.Method.invoke(Method.java:498)\n\tat 
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)\n\tat
 
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)\n\tat
 
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)\n\tat
 
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)\n\tat
 
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)\n\tat
 
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469)\n\tat
 
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391)\n\tat
 
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80)\n\tat
 org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:253)\n\tat 
org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)\n\tat 
org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)\n\tat 
org.glassfish.jersey.internal.Errors.process(Errors.java:292)\n\tat 
org.glassfish.jersey.internal.Errors.process(Errors.java:274)\n\tat 
org.glassfish.jersey.internal.Errors.process(Errors.java:244)\n\tat 
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)\n\tat
 
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:232)\n\tat 
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680)\n\tat
 
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)\n\tat
 org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)\n\tat 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366)\n\tat
 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319)\n\tat
 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)\n\tat
 org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)\n\tat 
org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)\n\tat
 
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)\n\tat
 
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)\n\tat
 
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)\n\tat
 
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)\n\tat
 
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)\n\tat
 
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)\n\tat
 
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)\n\tat
 
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)\n\tat
 
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)\n\tat
 
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:450)\n\tat
 
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)\n\tat
 
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)\n\tat
 
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)\n\tat
 
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)\n\tat
 
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)\n\tat
 
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)\n\tat
 org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)\n\tat 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)\n\tat
 org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:64)\n\tat 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)\n\tat 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)\n\tat
 
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)\n\tat
 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat
 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)\n\tat
 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)\n\tat
 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)\n\tat
 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)\n\tat
 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)\n\tat
 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)\n\tat
 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)\n\tat
 
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)\n\tat 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)\n\tat
 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)\n\tat
 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)\n\tat
 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat
 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)\n\tat
 
io.micrometer.core.instrument.binder.jetty.TimedHandler.handle(TimedHandler.java:120)\n\tat
 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)\n\tat
 org.eclipse.jetty.server.Server.handle(Server.java:516)\n\tat 
org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)\n\tat
 org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)\n\tat 
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)\n\tat 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)\n\tat
 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)\n\tat
 org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)\n\tat 
org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)\n\tat 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)\n\tat
 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)\n\tat
 java.lang.Thread.run(Thread.java:748)\nCaused by: java.io.IOException: Note 
\u0027/A new notebook\u0027 existed\n\tat 
org.apache.zeppelin.notebook.NoteManager.addOrUpdateNoteNode(NoteManager.java:129)\n\tat
 org.apache.zeppelin.notebook.NoteManager.addNote(NoteManager.java:192)\n\tat 
org.apache.zeppelin.notebook.Notebook.createNote(Notebook.java:256)\n\tat 
org.apache.zeppelin.service.NotebookService.createNote(NotebookService.java:159)\n\t...
 78 more\n"} {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (ZEPPELIN-5375) Stack traces exposed in REST API

Reply via email to