BatchingBatch errors should not lead to logging at an ERROR level
Description
Activity
Pepijn Opsteegh October 17, 2024 at 6:28 AMEdited
Great to see that the “log-error-and-throw” issue has been addressed and solved. Many thanks, much appreciated!
Yoann Rodière October 2, 2024 at 12:08 PM
I wouldn’t go as far as far as describing this as a “security issue”, since any application following best-practices would use SQL parameters, and thus wouldn’t include any “secrets or personal information” in the SQL string itself – those would be in query parameters, which are not logged in this case.
Mike seems to agree in his earlier comment:
After digging into this a little more, I discovered that the root cause of this is actually in the PostgreSQL JDBC driver which includes the query parameters in a batch query exception
That being said, I find it weird that we log an error when we also re-throw an exception afterwards:
I’d be in favor of not logging anything and just re-throwing the exception, possibly wrapping it with another exception if necessary (we already do in the first example, but not in the second one)?
Note this also affects Keycloak negatively:
Pepijn Opsteegh September 10, 2024 at 7:00 AM
Hi guys! Despite this issue being reported 5 years ago, I want to bring it to attention again because it is still very relevant. Could someone from the Hibernate team explain why the “log-error-and-throw” approach is sometimes chosen in Hibernate (in certain situations and not always consistently)? In the most recent version, this still happens, for example, when a StaleStateException is thrown in BatchImpl (and only when batching is enabled).
In my opinion, when an exception is thrown from a library (like Hibernate) the decision to log an error is better left to the calling code. This is especially true in situations where the exception can almost always be automatically retried, such as with the StaleStateException (optimistic locking failure). Errors in the logs often cause alerts to be triggered, causing the need for engineers on duty to look into these “errors”. Currently, the only way to circumvent this is by suppressing these error logs (which is not something you want to do in general)
Can someone please shed a light on this? Perhaps there are good reasons for Hibernate to do so, but in that case I would be really interested to know them. Or perhaps any plans on fixing / improving this in the (near) future?
Many thanks!
Mike Reardon October 9, 2019 at 5:15 PMEdited
After digging into this a little more, I discovered that the root cause of this is actually in the PostgreSQL JDBC driver which includes the query parameters in a batch query exception.
I do still think this should not log and throw
Details
Assignee
UnassignedUnassignedReporter
Mike ReardonMike Reardon(Deactivated)Sprint
NoneFix versions
Priority
Major
Details
Details
Assignee
Reporter
Mike ReardonSprint
Fix versions
Priority
Major
BatchingBatch will log failed executions at an "ERROR" level with the SQL values included. This could compromise security or violate compliance by including secrets or personal information in the logs, but squelching all ERROR level logs for the class is not desirable.
An example:
Since this exception is logged and then a new exception re-thrown, it should be logged at a DEBUG level, and the handler of the exception should be tasked with log the exception. That also would allow the exception to avoid being logged twice or logging it as an ERROR in a non-fault use case, e.g. optimistic de-duplication of data.
https://github.com/hibernate/hibernate-orm/blob/master/hibernate-core/src/main/java/org/hibernate/engine/jdbc/batch/internal/BatchingBatch.java#L128-L129
At the very least, it should not be logged with the values at an ERROR level.
Note: Newer versions of Hibernate ORM will include the code
HHH100501instead ofHHH000315, but the problem is the same.