This is an automated email from the ASF dual-hosted git repository.
chanholee pushed a commit to branch branch-0.12
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/branch-0.12 by this push:
new 99c7ab4bac [ZEPPELIN-6352] Prevent information disclosure in
WebApplicationExceptionMapper
99c7ab4bac is described below
commit 99c7ab4bacd6f0f84b544f9f01178c146eb52a28
Author: Dongmin Cha <[email protected]>
AuthorDate: Sun Oct 5 17:09:37 2025 +0900
[ZEPPELIN-6352] Prevent information disclosure in
WebApplicationExceptionMapper
### What is this PR for?
This PR fixes a security vulnerability in `WebApplicationExceptionMapper`
that exposes sensitive information through exception serialization. When
exceptions occur, the current implementation
serializes the entire exception object to JSON and returns it to clients,
potentially leaking stack traces, internal paths, class names, and other
sensitive details. This PR replaces the detailed
exception response with a generic error message while maintaining proper
server-side logging for debugging purposes.
### What type of PR is it?
Improvement
### Todos
* [x] - Replace exception serialization with generic error message
* [x] - Maintain server-side error logging
### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-6352
### How should this be tested?
* **Automated testing**: Unit tests should verify that
non-WebApplicationExceptions return a generic error message instead of detailed
exception information
* **Manual testing**:
1. Trigger an exception in the application
2. Verify that the client receives only the generic error message:
`{"status":"error","message":"Internal server error"}`
3. Check server logs to confirm the full exception details are still
logged
### Screenshots (if appropriate)
N/A
### Questions:
* Does the license files need to update? **No**
* Is there breaking changes for older versions? **No** - Only changes the
error response format for better security
* Does this needs documentation? **No**
Closes #5090 from chadongmin/ZEPPELIN-6352.
Signed-off-by: ChanHo Lee <[email protected]>
(cherry picked from commit 94f1d8175fbfeab64c85ab5d8eca087ada8b4e5c)
Signed-off-by: ChanHo Lee <[email protected]>
---
.../rest/exception/WebApplicationExceptionMapper.java | 17 ++++-------------
1 file changed, 4 insertions(+), 13 deletions(-)
diff --git
a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/exception/WebApplicationExceptionMapper.java
b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/exception/WebApplicationExceptionMapper.java
index 2613bf3cc3..e5c99cf50b 100644
---
a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/exception/WebApplicationExceptionMapper.java
+++
b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/exception/WebApplicationExceptionMapper.java
@@ -17,37 +17,28 @@
package org.apache.zeppelin.rest.exception;
-import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.ext.ExceptionMapper;
import jakarta.ws.rs.ext.Provider;
-import org.apache.zeppelin.rest.message.gson.ExceptionSerializer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@Provider
public class WebApplicationExceptionMapper implements
ExceptionMapper<Throwable> {
+
private static final Logger LOGGER =
LoggerFactory.getLogger(WebApplicationExceptionMapper.class);
- private final Gson gson;
-
- public WebApplicationExceptionMapper() {
- GsonBuilder gsonBuilder = new
GsonBuilder().enableComplexMapKeySerialization();
- gsonBuilder.registerTypeHierarchyAdapter(
- Exception.class, new ExceptionSerializer());
- this.gson = gsonBuilder.create();
- }
-
@Override
public Response toResponse(Throwable exception) {
if (exception instanceof WebApplicationException) {
return ((WebApplicationException) exception).getResponse();
} else {
LOGGER.error("Error response", exception);
- return Response.status(500).entity(gson.toJson(exception)).build();
+ // Return generic error message to prevent information disclosure
+ String errorMessage = "{\"status\":\"error\",\"message\":\"Internal
server error\"}";
+ return Response.status(500).entity(errorMessage).build();
}
}
}
