How do we prevent stack trace from being getting displayed on Kibana?

(Tushar Balasaheb Kardile) #1

If I try to access a kibana API like (localhost:5601/api/timelion/run), I get a stack trace displayed on the Web UI

. This exposes the details of kibana installation path. Similarly if there is an error while querying data, in that case as well the stack trace is thrown on the UI. Is there a way to disable this by some simple configurational change or anything else?

(Tim Sullivan) #2

The error shown in the screenshot looks to me like a bug, because that endpoint (api/timelion/run) should only allow POST but we're able to get it to do something with a GET request.

It looks like you've already a bug filed on that: Thank you!

Can you provide more information by what you mean when you say "if there is an error while querying data... the stack trace is thrown in the UI"? Is that specific to Timelion as well?

Generally an error querying for data through elasticsearch doesn't show a stack trace with install details about anything:

(Tushar Balasaheb Kardile) #3

Hi Tim,

I have observed this issue specific to Timelion itself. By 'stack trace being thrown on UI' I mean to say that it is being displayed in browser window/tab on hitting the mentioned endpoint.

As you rightly pointed out, stack trace is not displayed for others. But we do get a red bar on the UI with more details in it like this one.

The details even though displayed, are not readable. Plus these expose the JS file path where exception had occured

Do we have any way to disable this? I mean, do we have any configuration available so that we can disable this when Kibana is hosted in production mode? Or can we incorporate this in newer version released?

(Tim Sullivan) #4

The bug that you filed in the Github repo is totally valid and needs to be fixed. I checked on it again, and there is a fix in the works:

It is targeted to be backported to 5.5.1, which is the soonest possible patch release that it can be done in.

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.