Re: [PR] KNOX-3039 Add error message sanitization to GatewayServlet [knox]

Fri, 14 Jun 2024 05:40:57 -0700 


kardolus commented on code in PR #914:
URL: https://github.com/apache/knox/pull/914#discussion_r1639761224


##########
gateway-server/src/main/java/org/apache/knox/gateway/GatewayServlet.java:
##########
@@ -282,33 +281,15 @@ public Enumeration<String> getInitParameterNames() {
     }
   }
 
-  private Exception sanitizeException(Exception e) {
+  private SanitizedException logAndSanitizeException(Exception e) {
+    LOG.failedToExecuteFilter(e);
     if (e == null || e.getMessage() == null) {
-      return e;
+      return new SanitizedException(e.getMessage());
     }
     if (!isErrorMessageSanitizationEnabled || e.getMessage() == null) {
-      return e;
+      return new SanitizedException(e.getMessage());
     }
     String sanitizedMessage = 
e.getMessage().replaceAll(errorMessageSanitizationPattern, "[hidden]");
-
-    return createSanitizedException(e, sanitizedMessage);
-  }
-
-  private <T extends Exception> T createSanitizedException(T e, String 
sanitizedMessage) {
-    try {
-      Constructor<? extends Exception> constructor = 
e.getClass().getConstructor(String.class, Throwable.class);
-      T sanitizedException = (T) constructor.newInstance(sanitizedMessage, 
e.getCause());
-      sanitizedException.setStackTrace(e.getStackTrace());
-      return sanitizedException;
-    } catch (Exception ex) {
-      Exception genericException = new Exception(sanitizedMessage, 
e.getCause());
-      genericException.setStackTrace(e.getStackTrace());
-      return (T) genericException;
-    }
-  }
-
-  private <T extends Exception> T logAndSanitizeException(Exception e) throws 
T {
-    LOG.failedToExecuteFilter(e);
-    throw (T) sanitizeException(e);
+    return new SanitizedException(sanitizedMessage);

Review Comment:
   @pzampino There are some downsides in moving the logic over to the 
`SanitizationException` class. It makes the code less flexible and potentially 
harder to maintain (e.g. what if other classes want to throw a 
`SanitizedException` but with different logic?). It's also a bit of an effort 
to refactor the tests. We haven't decided yet that this pattern is better than 
keeping the original `Exception` type (see my previous comment). Finally, but 
less important IMO, moving the logic over to `SanitizedException` can be seen 
as a violation of the Single Responsibility Principle. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to