schema-registry icon indicating copy to clipboard operation
schema-registry copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

DGS-4419: Adding validation error report in json serialization

Open jshahc opened this issue 2 years ago • 2 comments

When a ValidationException is thrown during schema validation no information is giving regarding the specific validation errors encountered. The ValidationException toJSON() method is used on this class to print a report of the errors found. The stack trace would look like:

Caused by: org.apache.kafka.common.errors.SerializationException: Validation error in JSON io.confluent.kafka.serializers.json.KafkaJsonSchemaSerializerTest$User@637c6a91, Error report:
{
  "schemaLocation": "#/properties/firstName",
  "pointerToViolation": "#/firstName",
  "causingExceptions": [
    {
      "schemaLocation": "#/properties/firstName/oneOf/0",
      "pointerToViolation": "#/firstName",
      "causingExceptions": [],
      "keyword": "type",
      "message": "expected: null, found: String"
    },
    {
      "schemaLocation": "#/properties/firstName/oneOf/1",
      "pointerToViolation": "#/firstName",
      "causingExceptions": [],
      "keyword": "maxLength",
      "message": "expected maxLength: 2, actual: 4"
    }
  ],
  "keyword": "oneOf",
  "message": "#: 0 subschemas matched instead of one"
}

Made a new function validateJson to avoid cyclomatic complexity issues.

jshahc avatar Aug 07 '22 15:08 jshahc

Will this error report be sent back to customer via HTTP or will it be logged in SR logs for debugging? For security reasons we aren't supposed to log customer data in our logs

@sanjay-awatramani, I think the error report would show up on the connector's logs. In the above example stack trace, the report shows the field name but it isn't printing the actual value but just says length is greater than expected. But in other cases the actual value of the field might show up. For eg:

  1. "message": "string [john] does not match pattern J."
  2. "message": "-1 is not greater or equal to 0"

The second message shows up without the proposed change also. We aren't printing the complete message but just the field's name and where the validation is failing.

jshahc avatar Aug 08 '22 08:08 jshahc

I think the error report would show up on the connector's logs. In the above example stack trace, the report shows the field name but it isn't printing the actual value but just says length is greater than expected. But in other cases the actual value of the field might show up. For eg:

  1. "message": "string [john] does not match pattern J."
  2. "message": "-1 is not greater or equal to 0"

The second message shows up without the proposed change also. We aren't printing the complete message but just the field's name and where the validation is failing.

@ap00rv , would this be a security violation?

sanjay-awatramani avatar Aug 08 '22 08:08 sanjay-awatramani