Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-725

StringParameterInjector reveals too much information

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Obsolete
    • Major
    • None
    • 2.2.2.GA
    • jaxrs
    • None

    Description

      When request parameters can't be parsed, the StringParameterInjector generates messages like:

      Unable to extract
parameter from http request: javax.ws.rs.QueryParam(\"domain\") value is
'abc'' for public abstract javax.ws.rs.core.Response
com.mycompany.jaxrs.SearchResource.search(java.lang.String,java.lang.String,com.mycompany.Domain,java.util.List,java.util.List,com.mycompany.OrderBy,com.mycompany.SortOrder,java.lang.Integer,java.lang.Long,boolean,javax.ws.rs.core.UriInfo)"}

      This reveals a lot of unnecessary information about the internal implementation that may be considered a security concern by some.

      It would be great to either:

      • sanitize this message so that it contains only the query param name (maybe log the full information, at debug level).
      • add some kind of message formatting interface and allow us to set a @Provider that decides exactly how the message is formatted
      • add a simple configuration flag that allows us to set 'dev_messages=false' (or similar) that causes the StringParameterInjector to omit param types and the target

      Cheers!

      Attachments

        Activity

          People

            patriot1burke@gmail.com Bill Burke (Inactive)
            joelittlejohn Joe Littlejohn (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: