Version 2.2.6 gives useful error-messages
/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe (not found)
->
"Kunde not found" (the text used in eception)
/kunde-api/kunden/123 (no UUID)
->
"Failed to convert value of type 'java.lang.String' to required type 'java.util.UUID'; nested exception is java.lang.IllegalArgumentException: Invalid UUID string: 123" (out-of-the-box)
Version 2.3.0 gives worse error-messages
/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe (not found)
->
"An error occurred while processing the request" (so, what's the problem here??)
/kunde-api/kunden/123 (no UUID)
->
"An error occurred while processing the request" (so, what's the problem here??)
Comment From: wilkinsona
Thanks for the report. Unfortunately, without some more context it's hard to be certain about the problem that you're describing. Making an educated guess, assuming that you're referring to the default error controller's output and that you're using 2.3.0 snapshots, this may be due to https://github.com/spring-projects/spring-boot/issues/20505. Can you please clarify?
Comment From: octopus-prime
Hmm... don't know about 'default error page'.
But i know i throw an explicit exception, like
throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Kunde not found")
2.2.6:
GET https://localhost/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe
->
{
"timestamp": "2020-04-26T18:59:11.692+0000",
"status": 404,
"error": "Not Found",
"message": "Kunde not found",
"path": "/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe"
}
2.3.0:
GET https://localhost/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe
->
{
"timestamp": "2020-04-26T18:59:11.692+0000",
"status": 404,
"error": "Not Found",
"message": "An error occurred while processing the request",
"path": "/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe"
}
Comment From: octopus-prime
okay. got it...
server:
error:
include-details: always
shows old behaviour.
Comment From: octopus-prime
What's the idea behind that change? Why running with default settings causes eating up explicit error messages?!
Comment From: wilkinsona
Exception messages can leak implementation details. In your example above, you have leaked the fact that the server is using Java and that the value is being parsed into a UUID. Depending on the circumstances and the information that is being leaked, this could allow an attacker to identify a vulnerability that they can exploit.