[Backport 2.x] Prevent raw request body as output in serialization er…

…ror messages (#3279) Backport 9fb106c from #3205. Signed-off-by: Andrey Pleskach <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-project · Sep 1, 2023 · d8a30d4 · d8a30d4
1 parent 4c9e6eb
commit d8a30d4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 6 deletions.
diff --git a/src/main/java/org/opensearch/security/DefaultObjectMapper.java b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
@@ -61,6 +61,8 @@ public class DefaultObjectMapper {
         // if jackson cant parse the entity, e.g. passwords, hashes and so on,
         // but provides which property is unknown
         objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
+        defaulOmittingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
+        YAML_MAPPER.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         // objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
         objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION);
         defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);

diff --git a/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java b/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java
@@ -45,6 +45,7 @@ public class NonValidatingObjectMapper {
     private static final ObjectMapper nonValidatingObjectMapper = new ObjectMapper();
 
     static {
+        nonValidatingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         nonValidatingObjectMapper.setSerializationInclusion(Include.NON_NULL);
         nonValidatingObjectMapper.configure(JsonParser.Feature.STRICT_DUPLICATE_DETECTION, false);
         nonValidatingObjectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
@@ -65,12 +66,7 @@ public static <T> T readValue(String string, JavaType jt) throws IOException {
         }
 
         try {
-            return AccessController.doPrivileged(new PrivilegedExceptionAction<T>() {
-                @Override
-                public T run() throws Exception {
-                    return nonValidatingObjectMapper.readValue(string, jt);
-                }
-            });
+            return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> nonValidatingObjectMapper.readValue(string, jt));
         } catch (final PrivilegedActionException e) {
             throw (IOException) e.getCause();
         }