Conversation
There was a problem hiding this comment.
Pull request overview
This pull request addresses issue #1545 by preventing sensitive data leakage through exception messages. Previously, OnboardingProviderException messages included the entire request object via string concatenation, which could expose sensitive information such as OTP codes, biometric images, and personally identifiable information (PII). The fix extracts only the processId field from request objects to include in exception messages.
Changes:
- Updated all
OnboardingProviderExceptionconstructor calls to use formatted strings with onlyprocessIdinstead of concatenating the full request object - Correctly handles both Lombok-based classes (using
getProcessId()) and Java record classes (usingprocessId()) - Maintains consistent error message format: "action description, processId=%s" across all exception scenarios
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| response = restClient.post("/user/lookup", requestDto, null, createHeaders(), responseType).getBody(); | ||
| } catch (RestClientException e) { | ||
| throw new OnboardingProviderException("Unable to lookup user for " + request, e); | ||
| throw new OnboardingProviderException("Unable to lookup user, processId=%s".formatted(request.getProcessId()), e); |
There was a problem hiding this comment.
I was thinking about creating separate method for creating exception instance, but I am not sure it will bring any benefit. Current approach is good
zcgandcomp
left a comment
There was a problem hiding this comment.
Good from a content point of view. I have small concerns regarding the null safety..
No description provided.