msgraph-sdk-dotnet icon indicating copy to clipboard operation
msgraph-sdk-dotnet copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

Request_ResourceNotFound errors include resource identifier in exception message

Open naamunds opened this issue 2 years ago • 3 comments

Exception messages with error Request_ResourceNotFound include the resource identifier, which can be personally identifiable data, e.g. user principal name (UPN). My understanding is that exceptions should avoid including such data because applications often log exceptions in telemetry.

I noticed this when using IUserRequestBuilder.MemberOf.Request.GetAsync and receiving a ServiceException where the message started with Code: Request_ResourceNotFound.

naamunds avatar Aug 02 '22 16:08 naamunds

Thanks for raising this @naamunds

Any chance you can also share the exception trace that is captured in this scenario as well? It would also be really helpful if you capture the RawReponseBody property of the ServiceException if it is present.

andrueastman avatar Aug 03 '22 06:08 andrueastman

@andrueastman, we don't log the RawResponseBody, but here's an example of the "AdditionalData" included in the exception message:

date: 2022-07-26T12:46:12
request-id: 72c96cb3-42ae-44c4-80f6-93ab813ccf66
client-request-id: dcd19742-c49d-4732-af5d-a8b55d2009f8
ClientRequestId: dcd19742-c49d-4732-af5d-a8b55d2009f8

Here is the relevant part of the stack trace:

    "Microsoft.Graph.HttpProvider.<SendAsync>d__18.MoveNext()",
      "System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()",
      "System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)",
      "System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)",
      "Microsoft.Graph.BaseRequest.<SendRequestAsync>d__40.MoveNext()",
      "System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()",
      "System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)",
      "System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)",
      "Microsoft.Graph.BaseRequest.<SendAsync>d__34`1.MoveNext()",
      "System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()",
      "System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)",
      "System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)",

naamunds avatar Aug 04 '22 20:08 naamunds

I was able to replicate this to graph explorer by trying to query data for a non-existing user as below.

{
    "error": {
        "code": "Request_ResourceNotFound",
        "message": "Resource '[email protected]' does not exist or one of its queried reference-property objects are not present.",
        "innerError": {
            "date": "2022-08-05T09:21:04",
            "request-id": "a706736e-76b7-451e-a9b4-433ccd5dd8f1",
            "client-request-id": "a706736e-76b7-451e-a9b4-433ccd5dd8f1"
        }
    }
}

As the exception message is built from the API message response, we're following this up first with relevant workload team.

andrueastman avatar Aug 05 '22 09:08 andrueastman