Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid parsing request body in DispatcherServlet for "parameters={masked}" log message #28587

Closed
mibollma opened this issue Jun 8, 2022 · 5 comments
Closed

Avoid parsing request body in DispatcherServlet for "parameters={masked}" log message #28587

mibollma opened this issue Jun 8, 2022 · 5 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
5.3.22

Comments

@mibollma
Copy link

mibollma commented Jun 8, 2022

Affects: spring-webmvc-5.3.20 and possibly many more

When having trace logging enabled... e.g.

logging:
  level:
    org.springframework.web: TRACE

and sending a POST request with content type application/x-www-form-urlencoded, the body of the request may be consumed by trace logging and only an empty stream or reader be available for the application.

The reason seems to be this line: https://github.com/spring-projects/spring-framework/blob/main/spring-webmvc/src/main/java/org/springframework/web/servlet/DispatcherServlet.java#L988

Even though it only attempts to check for existence of parameters it also triggers parsing of parameters which seems to consume the request body.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jun 8, 2022
@quaff
Copy link
Contributor

quaff commented Jun 9, 2022

Yes, It will cause request::setCharacterEncoding not working.

@sbrannen sbrannen added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Jun 9, 2022
@sbrannen
Copy link
Member

sbrannen commented Jun 9, 2022

Potentially related to:

@sbrannen sbrannen added this to the Triage Queue milestone Jun 9, 2022
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Jun 10, 2022
edited by sbrannen

This happens transparently when request parameters are accessed. It's how the Servlet API works. We can't prevent it from happening entirely but rather accept that it can happen.

There are two ways form data can be used. For data binding, which is the most convenient way to handle form data, it makes no difference because we bind from request parameters. For @RequestBody, the message converter relies on ServletServerHttpRequest, which reconstitutes the body content from request parameters. So, in most cases you shouldn't notice any of this.

Did you run into a specific issue or just happened to notice?

@rstoyanchev rstoyanchev added the status: waiting-for-feedback We need additional information before we can continue label Jun 10, 2022
@mibollma
Copy link
Author

Hi @rstoyanchev,

Thanks for your reply.
I came across this issue when trying to forward the raw body content to another network service.

I understand this might happen transparently (e.g. the FormContentFilter implementation has a similar effect on PATCH requests).
However in my opinion it would be better to avoid this to be triggered solely by the log level if possible.
I just wouldn't expect the application behaviour to change when I switch from WARN to DEBUG or TRACE.
What do you think?

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jun 13, 2022
@rstoyanchev
Copy link
Contributor

I think it's important to show "masked" for request parameters in order to hint that there is something to see if logging is changed. We could however print the same when the content-type is "application/x-www-form-urlencoded" and thus avoid the getParameters.size() check for that case.

@rstoyanchev rstoyanchev self-assigned this Jun 21, 2022
@rstoyanchev rstoyanchev modified the milestones: Triage Queue, 5.3.22 Jun 21, 2022
@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on status: feedback-provided Feedback has been provided labels Jun 21, 2022
@rstoyanchev rstoyanchev changed the title Trace logging seems to consume request body Avoid parsing request body in DispatcherServlet for "parameters={masked}" log message Jun 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.22
Development

No branches or pull requests
5 participants
@sbrannen @quaff @rstoyanchev @mibollma @spring-projects-issues