Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Do not expose debug in a response when a schema is not found #2348

Merged
merged 4 commits into from
Mar 29, 2022
Merged

fix: Do not expose debug in a response when a schema is not found #2348

merged 4 commits into from
Mar 29, 2022

Conversation

sawadashota
Copy link
Contributor

Related issue(s)

Do not expose debug in a response when a schema is not found.
This debug property does not look valuable for clients and just risks which is exposing server information such as middleware.

$  curl http://localhost:4455/.ory/kratos/public/schemas/not_found
{"error":{"code":404,"status":"Not Found","debug":"id=\nrid=\nerror=The request was malformed or contained invalid parameters\nreason=Unable to find JSON Schema ID: not_found\ndetails=map[]\ndebug=\n\ngit.luolix.top/ory/kratos/schema.Schemas.GetByID\n\t/project/schema/schema.go:37\ngit.luolix.top/ory/kratos/schema.(*Handler).getByID\n\t/project/schema/handler.go:106\ngit.luolix.top/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngit.luolix.top/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:18\ngit.luolix.top/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngit.luolix.top/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234\ngit.luolix.top/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:185\ngit.luolix.top/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngit.luolix.top/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngit.luolix.top/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngit.luolix.top/ory/kratos/x.glob..func1\n\t/project/x/clean_url.go:12\ngit.luolix.top/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngit.luolix.top/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngit.luolix.top/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:198\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngit.luolix.top/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:101\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngit.luolix.top/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngit.luolix.top/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngit.luolix.top/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:165\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngit.luolix.top/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/metrics.go:108\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2047\ngit.luolix.top/ory/x/prometheusx.(*MetricsManager).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/middleware.go:30\ngit.luolix.top/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngit.luolix.top/ory/x/tracing.(*Tracer).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/tracing/middleware.go:36\ngit.luolix.top/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngit.luolix.top/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.358/metricsx/middleware.go:275\ngit.luolix.top/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38","message":"The requested resource could not be found"}}

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

@sawadashota
fix: Do not expose debug in a response when schema is not found
4802a9c 
Signed-off-by: sawadashota <shota@sslife.tech>
@codecov
Copy link

codecov bot commented Mar 29, 2022
edited

Codecov Report

Merging #2348 (6a76e95) into master (bf970f3) will increase coverage by 0.00%.
The diff coverage is 100.00%.

❗ Current head 6a76e95 differs from pull request most recent head e1fec05. Consider uploading reports for the commit e1fec05 to get more accurate results

@@           Coverage Diff           @@
##           master    #2348   +/-   ##
=======================================
  Coverage   76.55%   76.55%           
=======================================
  Files         318      318           
  Lines       17298    17294    -4     
=======================================
- Hits        13242    13240    -2     
+ Misses       3122     3120    -2     
  Partials      934      934
Impacted Files Coverage Δ
schema/handler.go 82.27% <100.00%> (ø)
courier/courier.go 76.92% <0.00%> (+3.58%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b85c0e6...e1fec05. Read the comment docs.

aeneasr
aeneasr requested changes Mar 29, 2022
View reviewed changes
schema/handler.go Outdated Show resolved Hide resolved
sawadashota and others added 3 commits March 29, 2022 17:25
@sawadashota @aeneasr
Update schema/handler.go
df61e8d 
Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
@sawadashota
fix: Syntac error
6a76e95
@sawadashota
Merge branch 'master' into do_not_expose_debug
e1fec05
@aeneasr aeneasr merged commit aee2b1e into ory:master Mar 29, 2022
@sawadashota sawadashota deleted the do_not_expose_debug branch March 30, 2022 00:58
peturgeorgievv pushed a commit to senteca/kratos-fork that referenced this pull request Jun 30, 2023
@sawadashota @aeneasr
fix: do not expose debug in a response when a schema is not found (or…
80fd5e4 
…y#2348)

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr requested changes

@zepatrik zepatrik Awaiting requested review from zepatrik zepatrik is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sawadashota @aeneasr