JSD: edit error500.soy in order to hide jira stacktrace

soy
jsd
jira-server

#1

Hello everybody, I’m facing with the bug JRASERVER-38101 and, in particular, i’m facing with two different test then output the jira stacktrace to the user. As depicted in the issue above, the stacktrace can be found even in the GUI that in the F12 tools.
As suggested (but not supported by Atlassian), I have modified error500.soy commenting this part:

/*
    {if $stacktrace}
        <blockquote id="stacktrace" style="overflow-x: auto;"><pre>{$stacktrace}</pre></blockquote>
    {else}
        <p>{$servletErrorMessage}</p>
    {/if}
*/

That is hiding the tomcat stacktrace only in the GUI, but not in the F12 tools.

The problem I would solve is:

  • Use Firefox (last version 59.0.2, it doesn’t matter the version, FF is important for the developer tools )
  • Log into Jira and go to Customer portal
  • Go to Profile (/servicedesk/customer/user/profile)
  • click Edit
  • click Change avatar
  • click Select Image and choose an image
  • click Done
  • Type “F12” (for the developer tool window to open)
  • go to the “Network” tab and activate “Preserve log”
  • click Save on the page
  • right click on the PUT request “user” and on “edit/modify and resend”
  • on the detail frame section (on the right), edit the avatar parameter from “data:image/png…etc” to “data:image/pnggg…etc” and then click “send” on the top right
  • you can see the PUT request "user again but now you get a 500 error
  • click on this request
  • on the detail frame section (on the right), click on “Response” tab
  • you can see the tomcat stacktrace

For this very particular case, I’m not able to modify the error500.soy.

Is anybody has an idea ?

Thank you in advace


#2

Hi all, as our Security Team is pushing us for the problem to be solved, is there someone who can help us to find a way to solve the issue described above?

Many thanks,

Michele