Change StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION default to false in Jackson 2.16
#991
Comments
|
Not great timing. v2.15 is advanced in its release and very very late to add this. You have also not explained where the PII risk is. Is it logging? Jackson doesn't do much logging. If you log, Jackson exceptions, maybe it's your responsibility to filter out PII. You can't make every compliance issue the responsibility of external lib maintainers. For more instance, can you explain how a 'location' can even expose PII? |
Discussing release timing is preemptive, lets first discuss the viability of the change. If it needs to be in a follow up release then so be it.
Please read the description of the flag to understand. This will add the source to the exception message, which will be logged as part of the stack trace. It is very standard for stack traces to be logged. If the source was part of some custom field on the exception it would not be logged, and could instead be voluntarily logged, or inspected in debugger.
100% agree, but I think making this particular one a responsibility of the lib is the right call, which is why I am raising this ticket. You can see for yourself how infrequently this flag is set to false, when in reality you should expect a much higher incidence of its use. Additionally "Secure by default" should be the position of all external lib maintainers. This is not about accommodating a security vulnerability, but by default preventing it. |
|
@quinlam you have not provided any real info to justify your request. Please provide real examples. |
Take the following code snippet/example public SampleDataInput parseInput(final String input) {
final ObjectMapper mapper = new ObjectMapper();
try {
return mapper.readValue(input, SampleDataInput.class);
} catch (JsonProcessingException e) {
// Exception can be caught and handled, but will typically added back to stack trace
throw new RuntimeException("my custom exception message", e);
}
}This could be used to parse customer input, or parse stored serialized json input. If I pass in the following string The following will be part of the stack trace; This can result in PII data being exposed in logs. As a base case this exposes PII data to those who are intended to have log access (but should not have access to PII data), at the worst case this in conjunction with N other exploits could result in customer data exposed externally. Many systems and services have stringent controls on logging PII data for this reason, this edge case can easily slip by teams. |
|
@cowtowncoder any appetite to make this change in a v2.15.0-rc4? I sort of agree with the OP that the information that is given in the stacktrace by default is too much. Now that this has been raised publicly, we'll have people pressing for the change and even looking for CVEs or Sonatype issues until it is changed. I've been looking for the number parsing changes out since September 2022 when we got the initial report of that parsing exploit - so I, more than anyone, would love to see v2.15 released. Unfortunately, we are now in an era where this sort of logging is regarded as a problem. |
|
No, I don't think this should be changed at this point, and I don't plan on such a last minute change. I am not yet 100% sure I agree with changes during 2.x -- Jackson itself logs nothing. Its caller that prints out stack trace, if anyone. But then again, I can see how inclusion of source (... for some types of input) can be problematic, given there is no mechanism for filtering. I would be more open to changes in 3.x, but once again it's a bigger discussion: stack trace information is very important for developers, and it's up to them to decide where and how to disclose it. I'll flag this as 2.16 at this point. |
|
I appreciate that this change would be difficult for a 2.15 delivery and I don't have visibility of the practicality of making such a last minute change and so have no intention to push here. I would still advocate for the change as part of 2.x and 2.16 specifically, and appreciate it being tagged as such so we can continue to evaluate the viability of the change.
This behavior is ubiquitous enough that I would consider "Jackson adds the source to the logs on formatting exceptions" to be a relatively truthful statement (ignoring semantics)
I agree, but I believe they should opt into this, and not have to opt out. I see this as akin to DEBUG/TRACE logs. The developer must opt in and enable the extra verbosity. |
|
Ok, fair enough. I think we should consider defaults for 2.16, with some discussion: possibly including verbiage in place of source document to indicate feature to enable to get snippet (to help devs that are now puzzled by sudden disappearance). |
cowtowncoder
changed the title
cowtowncoder
changed the title
StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION default to false in Jackson 2.16
Jackson 2.16+ redacts source from exception messages by default. I don't think this matters for GoCD at runtime, but it does cause this test assertion to fail, as it's looking for specific text to make sure the logic to force some bad JSON in `JsonOutputWriter` is working. Don't really understand the background of why the JsonOutputWriter behaves this way, however probably better to err on the side of not leaking data in the logs for now, so not changing the default back for the JsonOutputWriter to include source. See https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.16#streaming-jackson-core and FasterXML/jackson-core#991
|
Is there any way to change this configuration universally? We have several components where we have implemented custom filtration as needed, so in all other logging scenarios we want to have the That is quite impractical when we have many places where we use many different constructors across several different applications. |
Please don't comment on closed issues. Open a discussion (preferred) or a new issue instead. |
|
Aside from comment by @pjfanning that I agree with, I might well answer here: no. Jackson is a component used by many frameworks, other libraries, and global defaulting is typically a bad idea for such cases. We have limited number of exceptions, but those do not include |
The INCLUDE_SOURCE_IN_LOCATION flag defaults to true, which means for improperly formatted input, the input will be logged as part of the stack trace. If the input contains PII data this can be a potential security vulnerability or violation of data handling standards for given services.
This issue/ticket is requesting that the flag be changed to default to false, and align with a "Secure by default" approach to the library. Given how widely this library is used it could provide a wide impacting improvement to the security of applications across the industry.
I acknowledge that this comes at the cost of;
I believe this cost should be paid now in advance of some potential exploit in the future. While developers always have to option to set this flag to false themselves manually, grepping repositories and seeing how infrequently this flag is altered leads me to conclude that there is a lot of data out there inappropriately logged.
The text was updated successfully, but these errors were encountered: