We expose ES _search endpoint directly to consumers. When our REST API get
scanned for security vulnerabilities it complains on ES returning exception
details. For example a malformed query will be included in the response
along with exception. While it is more or a less harmless the tool
complains of various injections and internals disclosures. I would like to
be able to turn error message in the response off (or substitute it with a
generic message) in production while keeping normal response logic in
development.
We expose ES _search endpoint directly to consumers. When our REST API get
scanned for security vulnerabilities it complains on ES returning exception
details. For example a malformed query will be included in the response
along with exception. While it is more or a less harmless the tool
complains of various injections and internals disclosures. I would like to
be able to turn error message in the response off (or substitute it with a
generic message) in production while keeping normal response logic in
development.
Unfortunately it is not an option - we are not at liberty to touch anything
beyond our app servers. We are using transport-wares servlet for ES and I
could easily tweak AbstractServletRestChannel to handle Rest Channel
response with codes 400,500 but I would like to avoid modifying the code
directly and there is no way to do it nicely. I put a request on github for
enhancements of the NodeServlet but was hoping ES may have an option to
turn error details on/off. I think it would be nice to control error level
in REST responses with three levels - suppress/message/stack-trace
We expose ES _search endpoint directly to consumers. When our REST API
get scanned for security vulnerabilities it complains on ES returning
exception details. For example a malformed query will be included in the
response along with exception. While it is more or a less harmless the tool
complains of various injections and internals disclosures. I would like to
be able to turn error message in the response off (or substitute it with a
generic message) in production while keeping normal response logic in
development.
Then why don't you simply add a servlet filter that filters unwanted
responses away?
Jörg
On Tue, Sep 16, 2014 at 12:21 AM, Alex Roytman roytmana@gmail.com wrote:
Thanks Jorg,
Unfortunately it is not an option - we are not at liberty to touch
anything beyond our app servers. We are using transport-wares servlet for
ES and I could easily tweak AbstractServletRestChannel to handle Rest
Channel response with codes 400,500 but I would like to avoid modifying the
code directly and there is no way to do it nicely. I put a request on
github for enhancements of the NodeServlet but was hoping ES may have an
option to turn error details on/off. I think it would be nice to control
error level in REST responses with three levels -
suppress/message/stack-trace
We expose ES _search endpoint directly to consumers. When our REST API
get scanned for security vulnerabilities it complains on ES returning
exception details. For example a malformed query will be included in the
response along with exception. While it is more or a less harmless the tool
complains of various injections and internals disclosures. I would like to
be able to turn error message in the response off (or substitute it with a
generic message) in production while keeping normal response logic in
development.
I guess I could but it would mean passing a response wrapper to capture
output stream and then copy it to real request or discard it in case of an
error. That would be a second copy of response - the first one being done
in the NodeServlet - will hurt performance for large responses
Then why don't you simply add a servlet filter that filters unwanted
responses away?
Jörg
On Tue, Sep 16, 2014 at 12:21 AM, Alex Roytman roytmana@gmail.com wrote:
Thanks Jorg,
Unfortunately it is not an option - we are not at liberty to touch
anything beyond our app servers. We are using transport-wares servlet for
ES and I could easily tweak AbstractServletRestChannel to handle Rest
Channel response with codes 400,500 but I would like to avoid modifying the
code directly and there is no way to do it nicely. I put a request on
github for enhancements of the NodeServlet but was hoping ES may have an
option to turn error details on/off. I think it would be nice to control
error level in REST responses with three levels -
suppress/message/stack-trace
We expose ES _search endpoint directly to consumers. When our REST API
get scanned for security vulnerabilities it complains on ES returning
exception details. For example a malformed query will be included in the
response along with exception. While it is more or a less harmless the tool
complains of various injections and internals disclosures. I would like to
be able to turn error message in the response off (or substitute it with a
generic message) in production while keeping normal response logic in
development.
You could just check for the response code 500, and you're done, no need to
capture streams.
Jörg
On Tue, Sep 16, 2014 at 12:53 AM, Alex Roytman roytmana@gmail.com wrote:
I guess I could but it would mean passing a response wrapper to capture
output stream and then copy it to real request or discard it in case of an
error. That would be a second copy of response - the first one being done
in the NodeServlet - will hurt performance for large responses
Then why don't you simply add a servlet filter that filters unwanted
responses away?
Jörg
On Tue, Sep 16, 2014 at 12:21 AM, Alex Roytman roytmana@gmail.com
wrote:
Thanks Jorg,
Unfortunately it is not an option - we are not at liberty to touch
anything beyond our app servers. We are using transport-wares servlet for
ES and I could easily tweak AbstractServletRestChannel to handle Rest
Channel response with codes 400,500 but I would like to avoid modifying the
code directly and there is no way to do it nicely. I put a request on
github for enhancements of the NodeServlet but was hoping ES may have an
option to turn error details on/off. I think it would be nice to control
error level in REST responses with three levels -
suppress/message/stack-trace
We expose ES _search endpoint directly to consumers. When our REST API
get scanned for security vulnerabilities it complains on ES returning
exception details. For example a malformed query will be included in the
response along with exception. While it is more or a less harmless the tool
complains of various injections and internals disclosures. I would like to
be able to turn error message in the response off (or substitute it with a
generic message) in production while keeping normal response logic in
development.
I may be missing something but in the filter the check for error will need
to be done after calling chain.doFilter(req, resp); (or we would not know
the status which is set by the NodeServlet). At that point it is too late
to do anything about response body if the output stream was written to.
That's the reason for capturing stream in memory by using response wrapper
and then writing or not writing it depending on status to the real response
object
On Tuesday, September 16, 2014 3:10:25 AM UTC-4, Jörg Prante wrote:
You could just check for the response code 500, and you're done, no need
to capture streams.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
