Improve error detail in AS4 MDN to avoid leaking internal information #189
javierestevez
started this conversation in
Ideas
Replies: 1 comment
-
|
Hello, Any news on this? Thank you, |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
we have recently discovered that in case of an inbound error the AS4 implementation builds an MDN with an error detail constructed using the message of the exception and its causes (
As4MessageFactory#getErrorDetail). In contrast, the AS2 MDN simply contained the parent exception message.This is prone to leaking internal information of the receiving AP to the sending AP. For instance, in our case the original exception was an HTTP error when contacting a cloud storage solution while persisting the payload. The cloud storage URL was part of the exception message and was thus shared with the sending AP (bad).
Do you think this is something you could improve on the AS4 implementation?
Thank you in advance,
Javier
Beta Was this translation helpful? Give feedback.
All reactions