springboot Default value for server.error.include-stacktrace exposes stack information on error

Hi All!

Spring boot 2.3.0.RELEASE documentation indicates default value for server.error.include-stacktrace is Never, however default behavior is set to always, therefore leads to exposing internal stack trace information.

Kindly check default configuration value for this property to avoid exposing information, and manually set value to Never on application.properties file.

Many Thanks! Gaston Geler

Comment From: scottfrederick

@ggeler Can you provide more information or a sample app to demonstrate a case where server.error.include-stacktrace defaults to always? There are test cases for the servlet and reactive paths to verify that the trace element is omitted by default.

Including DevTools in your application does change the default for the server.error.include-* properties to always to aid in debugging, but you should never include DevTools in a production application.

Comment From: ggeler

Hi @scottfrederick Sorry for the delay, but it's been crazy lately.

I think that this is not an issue, but rather a situation that i found after removing DevTools from my pom file. When DevTools is on pom file, stacktrace = always, which is fine. Then right after removing it, application restarted automatically and server.error.include-stacktrace still showed always.

After another (2nd) relaunch of the application, server.error.include-stacktrace = null hence value was properly refreshed to null.

Sorry for raising an issue on this, and taking your time.

To demonstrate the case I added the following code on a CommandLineRunner. Add DevTools to pom.xml file, restart app, e=ALWAYS. Then remove DevTools, e=ALWAYS. Restart app then e=NULL.

@Bean
public CommandLineRunner run(@Autowired Environment env) {
    return (args) -> {
        var e=env.getProperty("server.error.include-stacktrace");
        System.out.println("Env: "+e);
    };
}

Comment From: scottfrederick

No worries @ggeler, thanks for getting back to us with the details.

Comment From: scottfrederick

@ggeler After some discussion, we're trying to understand if there's a problem with DevTools restarts and all the properties that DevTools sets.

right after removing it, application restarted automatically and server.error.include-stacktrace still showed always.

After another (2nd) relaunch of the application, server.error.include-stacktrace = null

Can you give a bit more detail on how the app was restarted/relaunched in this flow? Were both of these a DevTools automatic restart, or did you manually restart the application in either case?

Comment From: ggeler

@scottfrederick first restart was a DevTools automatic restart. The second one was a manual restart of the application using Spring boot dashboard (Eclipse 2020-03) Start/Restart button. This happened either running app under debug-mode and no-debug-mode.- Gaston