chadongmin opened a new pull request, #5090:
URL: https://github.com/apache/zeppelin/pull/5090
### What is this PR for?
This PR fixes a security vulnerability in `WebApplicationExceptionMapper`
that exposes sensitive information through exception serialization. When
exceptions occur, the current implementation
serializes the entire exception object to JSON and returns it to clients,
potentially leaking stack traces, internal paths, class names, and other
sensitive details. This PR replaces the detailed
exception response with a generic error message while maintaining proper
server-side logging for debugging purposes.
### What type of PR is it?
Improvement
### Todos
* [x] - Replace exception serialization with generic error message
* [x] - Maintain server-side error logging
### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-6352
### How should this be tested?
* **Automated testing**: Unit tests should verify that
non-WebApplicationExceptions return a generic error message instead of detailed
exception information
* **Manual testing**:
1. Trigger an exception in the application
2. Verify that the client receives only the generic error message:
`{"status":"error","message":"Internal server error"}`
3. Check server logs to confirm the full exception details are still
logged
### Screenshots (if appropriate)
N/A
### Questions:
* Does the license files need to update? **No**
* Is there breaking changes for older versions? **No** - Only changes the
error response format for better security
* Does this needs documentation? **No**
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
