This repository has been archived by the owner on Feb 9, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 109
Security: stack traces returned in API #2269
Labels
Comments
To reproduce: |
This was referenced Dec 5, 2020
3 tasks
a-palchikov
added a commit
that referenced
this issue
Aug 12, 2021
implement conditional stack traces for HTTP APIs. The original implementation removes the stack traces from HTTP APIs errors unconditionally which results in reduced troubleshooting efficacy when the errors contain important details about a failure from the CLI client. In order to counter this and provide useful information when necessary, the stack traces are only stripped if the request does not contain a custom marker identifying the gravity client. Updates #2269.
a-palchikov
added a commit
that referenced
this issue
Aug 12, 2021
implement conditional stack traces for HTTP APIs. The original implementation removes the stack traces from HTTP APIs errors unconditionally which results in reduced troubleshooting efficacy when the errors contain important details about a failure from the CLI client. In order to counter this and provide useful information when necessary, the stack traces are only stripped if the request does not contain a custom marker identifying the gravity client. Updates #2269.
3 tasks
a-palchikov
added a commit
that referenced
this issue
Aug 31, 2021
implement conditional stack traces for HTTP APIs. The original implementation removes the stack traces from HTTP APIs errors unconditionally which results in reduced troubleshooting efficacy when the errors contain important details about a failure from the CLI client. In order to counter this and provide useful information when necessary, the stack traces are only stripped if the request does not contain a custom marker identifying the gravity client. Updates #2269.
a-palchikov
added a commit
that referenced
this issue
Sep 1, 2021
implement conditional stack traces for HTTP APIs. The original implementation removes the stack traces from HTTP APIs errors unconditionally which results in reduced troubleshooting efficacy when the errors contain important details about a failure from the CLI client. In order to counter this and provide useful information when necessary, the stack traces are only stripped if the request does not contain a custom marker identifying the gravity client. Updates #2269.
a-palchikov
added a commit
that referenced
this issue
Sep 1, 2021
implement conditional stack traces for HTTP APIs. The original implementation removes the stack traces from HTTP APIs errors unconditionally which results in reduced troubleshooting efficacy when the errors contain important details about a failure from the CLI client. In order to counter this and provide useful information when necessary, the stack traces are only stripped if the request does not contain a custom marker identifying the gravity client. Updates #2269.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
While gravity is OSS software, so returning stack traces doesn't tend to be a real information disclosure, it does provide some opportunity to observe the code paths or possibly the version of gravity in use. These aren't used, so we should disable them.
Example:
The text was updated successfully, but these errors were encountered: