Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

servicecomb 2.8.14版本接口入参校验失败后抛出的异常信息存在内部代码结构和行号等信息 #4260

Open
JedrekWang opened this issue Mar 6, 2024 · 2 comments
Open

servicecomb 2.8.14版本接口入参校验失败后抛出的异常信息存在内部代码结构和行号等信息 #4260

JedrekWang opened this issue Mar 6, 2024 · 2 comments

Comments

@JedrekWang
Copy link

背景

当 接口调用传递的body跟接口定位的入参不一致时,接口返回的message信息存在内部代码结构和行号等信息

复现demo

接口入参定义如下:


public class CommonReq {
    private String name;
    private Integer type;
}

http请求传递的body如下:

{
    "name": "jedrek",
    "type": "hard"
}

报错信息如下:

{
"message": "Parameter is not valid for operation [xxx]. Parameter is [commonReq]. Processor is [body]. Message is [Cannot deserialize value of type java.lang.Integer from String "hard": not a valid java.lang.Integer value\n at [Source: (org.apache.servicecomb.foundation.vertx.stream.BufferInputStream); line: 3, column: 13] (through reference chain: CommonReq["type"])]."
}

这个打印信息感觉存在安全问题,暴露了接口的内部实现,可否针对于这种场景,对打印的异常message进行调整
@chengyouling
Copy link
Contributor

但是这个信息对于参数异常时定位有很大的帮助,提示的也是某个参数,不会提示全部参数内容

@liubao68
Copy link
Contributor

liubao68 commented Mar 7, 2024

这个内容是常见的json格式不正确的消息, 非常普遍。 没有信息安全可利用的信息,而这个信息对于日常定位一些问题帮助非常大。 综合看, 不作为安全问题处理,保留现状。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JedrekWang @liubao68 @chengyouling