divijvaidya commented on code in PR #12229: URL: https://github.com/apache/kafka/pull/12229#discussion_r903664991
########## clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetriever.java: ########## @@ -326,7 +326,7 @@ static String formatRequestBody(String scope) throws IOException { return requestParameters.toString(); } catch (UnsupportedEncodingException e) { // The world has gone crazy! - throw new IOException(String.format("Encoding %s not supported", StandardCharsets.UTF_8.name())); + throw new IOException(String.format("Encoding %s not supported", StandardCharsets.UTF_8.name()), e); Review Comment: `UnsupportedEncodingException` is thrown for 2 cases and in either of the two cases, the string being encoded is not printed in the exception message and hence, we don't leak any message information using the exception. Case 1: for `UnsupportedCharsetException` in which case, only charset is printed in the string as per the implementation as below: ``` public class UnsupportedCharsetException extends IllegalArgumentException { private static final long serialVersionUID = 1490765524727386367L; private String charsetName; /** * Constructs an instance of this class. * * @param charsetName * The name of the unsupported charset */ public UnsupportedCharsetException(String charsetName) { super(String.valueOf(charsetName)); this.charsetName = charsetName; } /** * Retrieves the name of the unsupported charset. * * @return The name of the unsupported charset */ public String getCharsetName() { return charsetName; } } ``` Case 2: for `IllegalCharsetNameException` which again, just prints the name of the charset. See implementation as below: ``` public class IllegalCharsetNameException extends IllegalArgumentException { private static final long serialVersionUID = 1457525358470002989L; private String charsetName; /** * Constructs an instance of this class. * * @param charsetName * The illegal charset name */ public IllegalCharsetNameException(String charsetName) { super(String.valueOf(charsetName)); this.charsetName = charsetName; } /** * Retrieves the illegal charset name. * * @return The illegal charset name */ public String getCharsetName() { return charsetName; } } ``` Is there any other security risk that you are alluding to here? Adding the stack trace is beneficial here to quickly determine whether the failure is due to case 1 or case 2. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org