divijvaidya commented on code in PR #12229:
URL: https://github.com/apache/kafka/pull/12229#discussion_r903664991
##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetriever.java:
##########
@@ -326,7 +326,7 @@ static String formatRequestBody(String scope) throws
IOException {
return requestParameters.toString();
} catch (UnsupportedEncodingException e) {
// The world has gone crazy!
- throw new IOException(String.format("Encoding %s not supported",
StandardCharsets.UTF_8.name()));
+ throw new IOException(String.format("Encoding %s not supported",
StandardCharsets.UTF_8.name()), e);
Review Comment:
`UnsupportedEncodingException` is thrown for 2 cases and in either of the
two cases, the string being encoded is not printed in the exception message and
hence, we don't leak any message information using the exception.
Case 1: for `UnsupportedCharsetException` in which case, only charset is
printed in the string as per the implementation as below:
```
public class UnsupportedCharsetException
extends IllegalArgumentException
{
private static final long serialVersionUID = 1490765524727386367L;
private String charsetName;
/**
* Constructs an instance of this class.
*
* @param charsetName
* The name of the unsupported charset
*/
public UnsupportedCharsetException(String charsetName) {
super(String.valueOf(charsetName));
this.charsetName = charsetName;
}
/**
* Retrieves the name of the unsupported charset.
*
* @return The name of the unsupported charset
*/
public String getCharsetName() {
return charsetName;
}
}
```
Case 2: for `IllegalCharsetNameException` which again, just prints the name
of the charset. See implementation as below:
```
public class IllegalCharsetNameException
extends IllegalArgumentException
{
private static final long serialVersionUID = 1457525358470002989L;
private String charsetName;
/**
* Constructs an instance of this class.
*
* @param charsetName
* The illegal charset name
*/
public IllegalCharsetNameException(String charsetName) {
super(String.valueOf(charsetName));
this.charsetName = charsetName;
}
/**
* Retrieves the illegal charset name.
*
* @return The illegal charset name
*/
public String getCharsetName() {
return charsetName;
}
}
```
Is there any other security risk that you are alluding to here? Adding the
stack trace is beneficial here to quickly determine whether the failure is due
to case 1 or case 2.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
