Spring o.s.validation.FieldError includes rejectedValue in its toString method.

https://github.com/spring-projects/spring-framework/blob/5338d8b5e90acf43a919b8b1eb1803748a3f81c7/spring-context/src/main/java/org/springframework/validation/FieldError.java#L128

the rejectedValue is included in FieldError#toString() method, it follows that MethodArgumentNotValidException builds message text in getMessage method with each Error object.

https://github.com/spring-projects/spring-framework/blob/5338d8b5e90acf43a919b8b1eb1803748a3f81c7/spring-web/src/main/java/org/springframework/web/bind/MethodArgumentNotValidException.java#L67

Since exception.getMessage() is higly likely being logged, this might cause sensitive data leak.

Comment From: rstoyanchev

By default MethodArgumentNotValidException is handled and turned into a 400 response.

Comment From: zhongf

Hi, thank you for reply.

my point is most of the exception handlers log exception.getMessage() one way or the other, which might cause rejectedValue being logged.

Comment From: rstoyanchev

You will need to be more specific than that because generally exceptions are not logged if handled. MethodArgumentNotValidException for example is handled in DefaultHandlerExceptionResolver and logged only at DEBUG level by default.

Comment From: zhongf

Fair enough. It's our project that handles exception inappropriately (logging exception message at ERROR level).

Thank you for taking time anwering my question.

p.s. but still wondering if it's good idea embedding internal state in exceptions?

Comment From: rstoyanchev

It's a good question although typically binding errors are handled by returning to the form, without even raising an exception. In addition default error handling turns it into a response status as mentioned already.