[Enhancement] Restrict information available in `ResponseError`

[davidlago]

The security of the OpenSearch Dashboard could be hardened by restricting the information available in a ResponseError. Indeed, it appears that the OpenSearch Dashboards does not perform a filtering in the ResponseError fields, especially Authorizations headers.

This is currently not a security issue in OpenSearch as the Exceptions are not logged, but could further harden the security of the product and prevent any future misusage.

class ResponseError<TResponse = Record<string, any>, TContext = Context> extends OpenSearchClientError {
  name: string;
  message: string;
  meta: ApiResponse<TResponse, TContext>;
  body: TResponse;
  statusCode: number;
  headers: Record<string, any>;
  constructor(meta: ApiResponse);
}

The following test shows that no logging is performed but that the exception class may contain too much information:

it('Check that sensitive headers are filtered out', async () => {
     const { server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');

     router.get({ path: '/', validate: false }, (context, req, res) => {
       const error = new Error('unauthorized');
       return res.custom({
         statusCode: 401,
         body: error,
         headers: {"Authorization": "secret-value"}
       });
     });

     await server.start();

     const result = await supertest(innerServer.listener).get('/').expect(401);

     expect(result.body.message).toBe('unauthorized');
     expect(loggingSystemMock.collect(logger).error).toHaveLength(0);
     //expect(result.headers).toBe({}); // <- for the moment, the whole header array is available
});

[stephen-crawford]

[Triage] Hi @davidlago, thanks for filing this issue. This is a good preemptive measure to keep things above board. We can close this issue when the logging has been changed to redact any of the sensitive information from the response and we have tests to show this.