Github user cestella commented on a diff in the pull request:
https://github.com/apache/metron/pull/779#discussion_r142471360
--- Diff:
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/RestExceptionHandler.java
---
@@ -35,7 +36,7 @@
@ResponseBody
ResponseEntity<?> handleControllerException(HttpServletRequest request,
Throwable ex) {
HttpStatus status = getStatus(request);
- return new ResponseEntity<>(new RestError(status.value(),
ex.getMessage(), getFullMessage(ex)), status);
+ return new ResponseEntity<>(new RestError(status.value(),
ex.getMessage(), ExceptionUtils.getStackTrace(ex)), status);
--- End diff --
I think I can live with just the root cause, but I'd like to know how
exposing the stack trace is a security issue first. Can you clarify the
reasoning behind it, @ottobackwards ? It's not that I disbelieve you, but I'd
like to better understand because we currently have stack traces in logs all
over the place.
---
