From d8a30d4f192a6863cc265d5fa45a0962bb20c58b Mon Sep 17 00:00:00 2001
From: "opensearch-trigger-bot[bot]"
 <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>
Date: Fri, 1 Sep 2023 08:47:25 -0500
Subject: [PATCH] [Backport 2.x] Prevent raw request body as output in
 serialization error messages (#3279)

Backport 9fb106cf1d1d3c0f009ff1caf1c5553c1f2bf4bc from #3205.

Signed-off-by: Andrey Pleskach <ples@aiven.io>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 .../java/org/opensearch/security/DefaultObjectMapper.java | 2 ++
 .../opensearch/security/NonValidatingObjectMapper.java    | 8 ++------
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/opensearch/security/DefaultObjectMapper.java b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
index 27aae2b5e4..69e1d0ac83 100644
--- a/src/main/java/org/opensearch/security/DefaultObjectMapper.java
+++ b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
@@ -61,6 +61,8 @@ public class DefaultObjectMapper {
         // if jackson cant parse the entity, e.g. passwords, hashes and so on,
         // but provides which property is unknown
         objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
+        defaulOmittingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
+        YAML_MAPPER.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         // objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
         objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION);
         defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);
diff --git a/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java b/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java
index dcc0973830..e0b34b3da1 100644
--- a/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java
+++ b/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java
@@ -45,6 +45,7 @@ public class NonValidatingObjectMapper {
     private static final ObjectMapper nonValidatingObjectMapper = new ObjectMapper();
 
     static {
+        nonValidatingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         nonValidatingObjectMapper.setSerializationInclusion(Include.NON_NULL);
         nonValidatingObjectMapper.configure(JsonParser.Feature.STRICT_DUPLICATE_DETECTION, false);
         nonValidatingObjectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
@@ -65,12 +66,7 @@ public static <T> T readValue(String string, JavaType jt) throws IOException {
         }
 
         try {
-            return AccessController.doPrivileged(new PrivilegedExceptionAction<T>() {
-                @Override
-                public T run() throws Exception {
-                    return nonValidatingObjectMapper.readValue(string, jt);
-                }
-            });
+            return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> nonValidatingObjectMapper.readValue(string, jt));
         } catch (final PrivilegedActionException e) {
             throw (IOException) e.getCause();
         }