Disable exception details on default error views

Prior to this commit, default error responses included the message
from a handled exception. When the exception was a BindException, the
error responses could also include an errors attribute containing the
details of the binding failure. These details could leak information
about the application.

This commit removes the exception message and binding errors detail
from error responses by default, and introduces a
`server.error.include-details` property that can be used to cause
these details to be included in the response.

Fixes gh-20505

Author: scottfrederick

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/web/servlet/ManagementErrorEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,7 +47,7 @@ public ManagementErrorEndpoint(ErrorAttributes errorAttributes) {
 	@RequestMapping("${server.error.path:${error.path:/error}}")
 	@ResponseBody
 	public Map<String, Object> invoke(ServletWebRequest request) {
-		return this.errorAttributes.getErrorAttributes(request, false);
+		return this.errorAttributes.getErrorAttributes(request, false, false);
 	}
 
 }

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/web/servlet/WebMvcEndpointChildContextConfigurationIntegrationTests.java

@@ -41,6 +41,7 @@
  * Integration tests for {@link WebMvcEndpointChildContextConfiguration}.
  *
  * @author Phillip Webb
+ * @author Scott Frederick
  */
 class WebMvcEndpointChildContextConfigurationIntegrationTests {
 
@@ -59,7 +60,8 @@ void errorPageAndErrorControllerAreUsed() {
 					WebClient client = WebClient.create("http://localhost:" + port);
 					ClientResponse response = client.get().uri("actuator/fail").accept(MediaType.APPLICATION_JSON)
 							.exchange().block();
-					assertThat(response.bodyToMono(String.class).block()).contains("message\":\"Epic Fail");
+					assertThat(response.bodyToMono(String.class).block())
+							.contains("message\":\"An error occurred while processing the request");
 				});
 	}
 

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/web/annotation/AbstractWebEndpointIntegrationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -61,6 +61,7 @@
  *
  * @param <T> the type of application context used by the tests
  * @author Andy Wilkinson
+ * @author Scott Frederick
  */
 public abstract class AbstractWebEndpointIntegrationTests<T extends ConfigurableApplicationContext & AnnotationConfigRegistry> {
 
@@ -409,8 +410,10 @@ private void load(Consumer<T> contextCustomizer, String endpointPath,
 			BiConsumer<ApplicationContext, WebTestClient> consumer) {
 		T applicationContext = this.applicationContextSupplier.get();
 		contextCustomizer.accept(applicationContext);
-		applicationContext.getEnvironment().getPropertySources()
-				.addLast(new MapPropertySource("test", Collections.singletonMap("endpointPath", endpointPath)));
+		Map<String, Object> properties = new HashMap<>();
+		properties.put("endpointPath", endpointPath);
+		properties.put("server.error.include-details", "always");
+		applicationContext.getEnvironment().getPropertySources().addLast(new MapPropertySource("test", properties));
 		applicationContext.refresh();
 		try {
 			InetSocketAddress address = new InetSocketAddress(getPort(applicationContext));

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorProperties.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
  * @author Michael Stummvoll
  * @author Stephane Nicoll
  * @author Vedran Pavic
+ * @author Scott Frederick
  * @since 1.3.0
  */
 public class ErrorProperties {
@@ -40,10 +41,15 @@ public class ErrorProperties {
 	private boolean includeException;
 
 	/**
-	 * When to include a "stacktrace" attribute.
+	 * When to include the "trace" attribute.
 	 */
 	private IncludeStacktrace includeStacktrace = IncludeStacktrace.NEVER;
 
+	/**
+	 * When to include "message" and "errors" attributes.
+	 */
+	private IncludeDetails includeDetails = IncludeDetails.NEVER;
+
 	private final Whitelabel whitelabel = new Whitelabel();
 
 	public String getPath() {
@@ -70,6 +76,14 @@ public void setIncludeStacktrace(IncludeStacktrace includeStacktrace) {
 		this.includeStacktrace = includeStacktrace;
 	}
 
+	public IncludeDetails getIncludeDetails() {
+		return this.includeDetails;
+	}
+
+	public void setIncludeDetails(IncludeDetails includeDetails) {
+		this.includeDetails = includeDetails;
+	}
+
 	public Whitelabel getWhitelabel() {
 		return this.whitelabel;
 	}
@@ -96,6 +110,28 @@ public enum IncludeStacktrace {
 
 	}
 
+	/**
+	 * Include error details attributes options.
+	 */
+	public enum IncludeDetails {
+
+		/**
+		 * Never add error detail information.
+		 */
+		NEVER,
+
+		/**
+		 * Always add error detail information.
+		 */
+		ALWAYS,
+
+		/**
+		 * Add error details information when the "details" request parameter is "true".
+		 */
+		ON_DETAILS_PARAM
+
+	}
+
 	public static class Whitelabel {
 
 		/**

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/AbstractErrorWebExceptionHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,6 +54,7 @@
  * Abstract base class for {@link ErrorWebExceptionHandler} implementations.
  *
  * @author Brian Clozel
+ * @author Scott Frederick
  * @since 2.0.0
  * @see ErrorAttributes
  */
@@ -131,10 +132,26 @@ public void setViewResolvers(List<ViewResolver> viewResolvers) {
 	 * views or JSON payloads.
 	 * @param request the source request
 	 * @param includeStackTrace whether to include the error stacktrace information
-	 * @return the error attributes as a Map.
+	 * @return the error attributes as a Map
+	 * @deprecated since 2.3.0 in favor of
+	 * {@link #getErrorAttributes(ServerRequest, boolean, boolean)}
 	 */
+	@Deprecated
 	protected Map<String, Object> getErrorAttributes(ServerRequest request, boolean includeStackTrace) {
-		return this.errorAttributes.getErrorAttributes(request, includeStackTrace);
+		return this.errorAttributes.getErrorAttributes(request, includeStackTrace, false);
+	}
+
+	/**
+	 * Extract the error attributes from the current request, to be used to populate error
+	 * views or JSON payloads.
+	 * @param request the source request
+	 * @param includeStackTrace whether to include the error stacktrace information
+	 * @param includeDetails whether to include message and errors attributes
+	 * @return the error attributes as a Map
+	 */
+	protected Map<String, Object> getErrorAttributes(ServerRequest request, boolean includeStackTrace,
+			boolean includeDetails) {
+		return this.errorAttributes.getErrorAttributes(request, includeStackTrace, includeDetails);
 	}
 
 	/**
@@ -152,7 +169,21 @@ protected Throwable getError(ServerRequest request) {
 	 * @return {@code true} if the error trace has been requested, {@code false} otherwise
 	 */
 	protected boolean isTraceEnabled(ServerRequest request) {
-		String parameter = request.queryParam("trace").orElse("false");
+		return getBooleanParameter(request, "trace");
+	}
+
+	/**
+	 * Check whether the details attribute has been set on the given request.
+	 * @param request the source request
+	 * @return {@code true} if the error details have been requested, {@code false}
+	 * otherwise
+	 */
+	protected boolean isDetailsEnabled(ServerRequest request) {
+		return getBooleanParameter(request, "details");
+	}
+
+	private boolean getBooleanParameter(ServerRequest request, String parameterName) {
+		String parameter = request.queryParam(parameterName).orElse("false");
 		return !"false".equalsIgnoreCase(parameter);
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -71,6 +71,7 @@
  * payload.
  *
  * @author Brian Clozel
+ * @author Scott Frederick
  * @since 2.0.0
  */
 public class DefaultErrorWebExceptionHandler extends AbstractErrorWebExceptionHandler {
@@ -113,7 +114,8 @@ protected RouterFunction<ServerResponse> getRoutingFunction(ErrorAttributes erro
 	 */
 	protected Mono<ServerResponse> renderErrorView(ServerRequest request) {
 		boolean includeStackTrace = isIncludeStackTrace(request, MediaType.TEXT_HTML);
-		Map<String, Object> error = getErrorAttributes(request, includeStackTrace);
+		boolean includeDetails = isIncludeDetails(request, MediaType.TEXT_HTML);
+		Map<String, Object> error = getErrorAttributes(request, includeStackTrace, includeDetails);
 		int errorStatus = getHttpStatus(error);
 		ServerResponse.BodyBuilder responseBody = ServerResponse.status(errorStatus).contentType(TEXT_HTML_UTF8);
 		return Flux.just(getData(errorStatus).toArray(new String[] {}))
@@ -141,7 +143,8 @@ private List<String> getData(int errorStatus) {
 	 */
 	protected Mono<ServerResponse> renderErrorResponse(ServerRequest request) {
 		boolean includeStackTrace = isIncludeStackTrace(request, MediaType.ALL);
-		Map<String, Object> error = getErrorAttributes(request, includeStackTrace);
+		boolean includeDetails = isIncludeDetails(request, MediaType.ALL);
+		Map<String, Object> error = getErrorAttributes(request, includeStackTrace, includeDetails);
 		return ServerResponse.status(getHttpStatus(error)).contentType(MediaType.APPLICATION_JSON)
 				.body(BodyInserters.fromValue(error));
 	}
@@ -163,6 +166,23 @@ protected boolean isIncludeStackTrace(ServerRequest request, MediaType produces)
 		return false;
 	}
 
+	/**
+	 * Determine if the message and errors attributes should be included.
+	 * @param request the source request
+	 * @param produces the media type produced (or {@code MediaType.ALL})
+	 * @return if the message and errors attributes should be included
+	 */
+	protected boolean isIncludeDetails(ServerRequest request, MediaType produces) {
+		ErrorProperties.IncludeDetails include = this.errorProperties.getIncludeDetails();
+		if (include == ErrorProperties.IncludeDetails.ALWAYS) {
+			return true;
+		}
+		if (include == ErrorProperties.IncludeDetails.ON_DETAILS_PARAM) {
+			return isDetailsEnabled(request);
+		}
+		return false;
+	}
+
 	/**
 	 * Get the HTTP error status information from the error map.
 	 * @param errorAttributes the current error information

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/error/AbstractErrorController.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@
  *
  * @author Dave Syer
  * @author Phillip Webb
+ * @author Scott Frederick
  * @since 1.3.0
  * @see ErrorAttributes
  */
@@ -66,13 +67,35 @@ private List<ErrorViewResolver> sortErrorViewResolvers(List<ErrorViewResolver> r
 		return sorted;
 	}
 
+	/**
+	 * Returns a {@link Map} of the error attributes.
+	 * @param request the source request
+	 * @param includeStackTrace if stack trace elements should be included
+	 * @return the error attributes
+	 * @deprecated since 2.3.0 in favor of
+	 * {@link #getErrorAttributes(HttpServletRequest, boolean, boolean)}
+	 */
+	@Deprecated
 	protected Map<String, Object> getErrorAttributes(HttpServletRequest request, boolean includeStackTrace) {
+		return this.getErrorAttributes(request, includeStackTrace, false);
+	}
+
+	protected Map<String, Object> getErrorAttributes(HttpServletRequest request, boolean includeStackTrace,
+			boolean includeDetails) {
 		WebRequest webRequest = new ServletWebRequest(request);
-		return this.errorAttributes.getErrorAttributes(webRequest, includeStackTrace);
+		return this.errorAttributes.getErrorAttributes(webRequest, includeStackTrace, includeDetails);
 	}
 
 	protected boolean getTraceParameter(HttpServletRequest request) {
-		String parameter = request.getParameter("trace");
+		return getBooleanParameter(request, "trace");
+	}
+
+	protected boolean getDetailsParameter(HttpServletRequest request) {
+		return getBooleanParameter(request, "details");
+	}
+
+	protected boolean getBooleanParameter(HttpServletRequest request, String parameterName) {
+		String parameter = request.getParameter(parameterName);
 		if (parameter == null) {
 			return false;
 		}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/error/BasicErrorController.java

@@ -24,6 +24,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.boot.autoconfigure.web.ErrorProperties;
+import org.springframework.boot.autoconfigure.web.ErrorProperties.IncludeDetails;
 import org.springframework.boot.autoconfigure.web.ErrorProperties.IncludeStacktrace;
 import org.springframework.boot.web.servlet.error.ErrorAttributes;
 import org.springframework.boot.web.servlet.server.AbstractServletWebServerFactory;
@@ -47,6 +48,7 @@
  * @author Phillip Webb
  * @author Michael Stummvoll
  * @author Stephane Nicoll
+ * @author Scott Frederick
  * @since 1.0.0
  * @see ErrorAttributes
  * @see ErrorProperties
@@ -87,8 +89,8 @@ public String getErrorPath() {
 	@RequestMapping(produces = MediaType.TEXT_HTML_VALUE)
 	public ModelAndView errorHtml(HttpServletRequest request, HttpServletResponse response) {
 		HttpStatus status = getStatus(request);
-		Map<String, Object> model = Collections
-				.unmodifiableMap(getErrorAttributes(request, isIncludeStackTrace(request, MediaType.TEXT_HTML)));
+		Map<String, Object> model = Collections.unmodifiableMap(getErrorAttributes(request,
+				isIncludeStackTrace(request, MediaType.TEXT_HTML), isIncludeDetails(request, MediaType.TEXT_HTML)));
 		response.setStatus(status.value());
 		ModelAndView modelAndView = resolveErrorView(request, response, status, model);
 		return (modelAndView != null) ? modelAndView : new ModelAndView("error", model);
@@ -100,7 +102,8 @@ public ResponseEntity<Map<String, Object>> error(HttpServletRequest request) {
 		if (status == HttpStatus.NO_CONTENT) {
 			return new ResponseEntity<>(status);
 		}
-		Map<String, Object> body = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.ALL));
+		Map<String, Object> body = getErrorAttributes(request, isIncludeStackTrace(request, MediaType.ALL),
+				isIncludeDetails(request, MediaType.ALL));
 		return new ResponseEntity<>(body, status);
 	}
 
@@ -127,6 +130,23 @@ protected boolean isIncludeStackTrace(HttpServletRequest request, MediaType prod
 		return false;
 	}
 
+	/**
+	 * Determine if the error details attributes should be included.
+	 * @param request the source request
+	 * @param produces the media type produced (or {@code MediaType.ALL})
+	 * @return if the error details attributes should be included
+	 */
+	protected boolean isIncludeDetails(HttpServletRequest request, MediaType produces) {
+		IncludeDetails include = getErrorProperties().getIncludeDetails();
+		if (include == IncludeDetails.ALWAYS) {
+			return true;
+		}
+		if (include == IncludeDetails.ON_DETAILS_PARAM) {
+			return getDetailsParameter(request);
+		}
+		return false;
+	}
+
 	/**
 	 * Provide access to the error properties.
 	 * @return the error properties

spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -106,6 +106,10 @@
       "description": "Minimum \"Content-Length\" value that is required for compression to be performed.",
       "defaultValue": "2KB"
     },
+    {
+      "name": "server.error.include-details",
+      "defaultValue": "never"
+    },
     {
       "name": "server.error.include-stacktrace",
       "defaultValue": "never"