Adding SocketChannel toString to connection exception messages

[Peter Levart]

Hi,

David Holmes je 22. 12. 2017 ob 01:35 napisal:
> On 22/12/2017 10:29 AM, Steven Schlansker wrote:
>>
>>> On Dec 21, 2017, at 11:11 AM, Steven Schlansker 
>>> <stevenschlansker at gmail.com> wrote:
>>>
>>> What if ConnectException included the attempted hostname / IP / port 
>>> SocketAddress?
>>> java.net.ConnectException: Connection to 
>>> 'foo.mycorp.com[10.x.x.x]:12345' refused
>>> Much more useful!  This could also be extended to various other 
>>> socket exceptions.
>
> I believe there are concerns with too much information that can be 
> considered "sensitive" (like host names and IP addresses) appearing in 
> error messages due to them ending up in log files and bug reports.
>
> David

For debugging purposes it might sometimes be enough to get just a hint 
about the actual address / port but not reveal it entirely. The person 
doing debugging probably knows more about the environment than an 
average person so the hint might give him enough information to discern 
the actual address / port. Exposing just the last octet of an IP address 
and the last digit of the port might do. For example:

java.net.ConnectException: Connection to X.X.X.205:XXX8 refused.

So Steven, I'm curious whether such hint would help in your case?

An attacker that knows something about the environment could find out 
the missing pieces without such hints anyway (simply by scanning IPs / 
ports), so such partial information is not that sensitive nowadays.

Another idea: define a one way function that maps the IP:port pair into 
a value which is displayed in the exception message. For debugging 
purposes this might be enough since the one doing debugging might know 
the set of possible IP:port pairs in advance. He could then apply the 
function to each of them in turn and find out the matching pair.

Regards,

Peter