Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOC] document http.detailed_errors.enabled config option & related security considerations #3084

Closed
1 of 4 tasks
rursprung opened this issue Feb 27, 2023 · 4 comments · Fixed by #7173
Closed
1 of 4 tasks

[DOC] document http.detailed_errors.enabled config option & related security considerations #3084

rursprung opened this issue Feb 27, 2023 · 4 comments · Fixed by #7173
Labels
3 - Done Issue is done/complete Content gap security

Comments

@rursprung
Copy link
Contributor

What do you want to do?

  • Request a change to existing documentation
  • Add new documentation
  • Report a technical problem with the documentation
  • Other

Tell us about your request.
the config option http.detailed_errors.enabled can be used to control whether REST APIs return detailed error messages or just generic failures.
this should be documented, not just as a "there's this parameter" but also as a general security guideline (some security reviewers consider it prudent to reduce the amount of information returned by production systems in case of errors to prevent explorative behaviour of attackers).

IMHO it'd anyway be good to have a general "security best practices" chapter in the documentation, this would then fit in nicely there.

What other resources are available?
@Naarcha-AWS Naarcha-AWS added 1 - Backlog Issue: The issue is unassigned or assigned but not started Sev3 Medium priority. Content that's missing, driven by dev, PM or the community. security and removed untriaged labels Mar 1, 2023
@hdhalter hdhalter mentioned this issue Dec 6, 2023
Closed
@hdhalter hdhalter removed 1 - Backlog Issue: The issue is unassigned or assigned but not started Sev3 Medium priority. Content that's missing, driven by dev, PM or the community. labels Dec 6, 2023
@hdhalter
Copy link
Contributor

hdhalter commented Dec 6, 2023

We'll add this as a best practice in #5782.

@rursprung rursprung mentioned this issue Jan 4, 2024
Open
@AntonEliatra
Copy link
Contributor

@hdhalter this seems to already have been fixed in the PRs lister above, There is no further information leak, below is the current state.

http.detailed_errors.enabled: true (default)

"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"transient setting [http.detailed_errors.enabled], not dynamically updateable"}],"type":"illegal_argument_exception","reason":"transient setting [http.detailed_errors.enabled], not dynamically updateable"},"status":400

http.detailed_errors.enabled: false

"error":"RemoteTransportException[[opensearch-node2][172.31.0.2:9300][cluster:admin/settings/update]]","status":400

@hdhalter
Copy link
Contributor

@AntonEliatra - The suggestion is to describe the setting in the documentation. Perhaps we can add to #7113?

AntonEliatra added a commit to AntonEliatra/documentation-website that referenced this issue May 16, 2024
@AntonEliatra
adding http.detailed_error.enabled configuration docs opensearch-proj…
55b0079 
…ect#3084

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@AntonEliatra AntonEliatra mentioned this issue May 16, 2024
Merged
1 task
AntonEliatra added a commit to AntonEliatra/documentation-website that referenced this issue May 16, 2024
@AntonEliatra
adding http.detailed_error.enabled configuration docs opensearch-proj…
8e6dea5 
…ect#3084

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@AntonEliatra
Copy link
Contributor

@hdhalter PR raised for this, but I added it to a different section which seemed more appropriate
#7173

@hdhalter hdhalter added the 2 - In progress Issue/PR: The issue or PR is in progress. label May 16, 2024
Naarcha-AWS added a commit that referenced this issue May 16, 2024
@AntonEliatra @Naarcha-AWS
adding http.detailed_error.enabled configuration docs #3084 (#7173)
b441e00 
* adding http.detailed_error.enabled configuration docs #3084

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* adding http.detailed_error.enabled configuration docs #3084

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

---------

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
opensearch-trigger-bot bot pushed a commit that referenced this issue May 16, 2024
@github-actions @Naarcha-AWS
adding http.detailed_error.enabled configuration docs #3084 (#7173)
20197a7 
* adding http.detailed_error.enabled configuration docs #3084

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* adding http.detailed_error.enabled configuration docs #3084

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

---------

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
(cherry picked from commit b441e00)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
github-actions bot pushed a commit that referenced this issue May 16, 2024
@opensearch-trigger-bot
adding http.detailed_error.enabled configuration docs #3084 (#7173) (#…
faa3f0b 
…7184)
@hdhalter hdhalter added 3 - Done Issue is done/complete and removed 2 - In progress Issue/PR: The issue or PR is in progress. labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 - Done Issue is done/complete Content gap security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

adding http.detailed_error.enabled configuration docs #3084 AntonEliatra/documentation-website
5 participants
@rursprung @AntonEliatra @Naarcha-AWS @hdhalter @cwillum