[GitHub] [kafka] divijvaidya commented on a diff in pull request #12229: MINOR: Include the inner exception stack trace when re-throwing an exception

[GitBox]

divijvaidya commented on code in PR #12229:
URL: https://github.com/apache/kafka/pull/12229#discussion_r903664991


##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetriever.java:
##########
@@ -326,7 +326,7 @@ static String formatRequestBody(String scope) throws 
IOException {
             return requestParameters.toString();
         } catch (UnsupportedEncodingException e) {
             // The world has gone crazy!
-            throw new IOException(String.format("Encoding %s not supported", 
StandardCharsets.UTF_8.name()));
+            throw new IOException(String.format("Encoding %s not supported", 
StandardCharsets.UTF_8.name()), e);

Review Comment:
   `UnsupportedEncodingException` is thrown for 2 cases and in either of the 
two cases, the string being encoded is not printed in the exception message and 
hence, we don't leak any message information using the exception.
   
   Case 1: for `UnsupportedCharsetException` in which case, only charset is 
printed in the string as per the implementation as below:
   ```
   public class UnsupportedCharsetException
       extends IllegalArgumentException
   {
   
       private static final long serialVersionUID = 1490765524727386367L;
   
       private String charsetName;
   
       /**
        * Constructs an instance of this class.
        *
        * @param  charsetName
        *         The name of the unsupported charset
        */
       public UnsupportedCharsetException(String charsetName) {
           super(String.valueOf(charsetName));
        this.charsetName = charsetName;
       }
   
       /**
        * Retrieves the name of the unsupported charset.
        *
        * @return  The name of the unsupported charset
        */
       public String getCharsetName() {
           return charsetName;
       }
   
   }
   ```
   
   Case 2: for `IllegalCharsetNameException` which again, just prints the name 
of the charset. See implementation as below:
   ```
   public class IllegalCharsetNameException
       extends IllegalArgumentException
   {
   
       private static final long serialVersionUID = 1457525358470002989L;
   
       private String charsetName;
   
       /**
        * Constructs an instance of this class.
        *
        * @param  charsetName
        *         The illegal charset name
        */
       public IllegalCharsetNameException(String charsetName) {
           super(String.valueOf(charsetName));
        this.charsetName = charsetName;
       }
   
       /**
        * Retrieves the illegal charset name.
        *
        * @return  The illegal charset name
        */
       public String getCharsetName() {
           return charsetName;
       }
   
   }
   ```
   
   Is there any other security risk that you are alluding to here? Adding the 
stack trace is beneficial here to quickly determine whether the failure is due 
to case 1 or case 2.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org