Added internal option to fully redact exceptions (#3528)

Author: JonasKunz

CHANGELOG.asciidoc

@@ -31,6 +31,10 @@ Use subheadings with the "=====" level for adding notes for unreleased changes:
 
 === Unreleased
 
+[float]
+===== Features
+* Added internal `safe_exceptions` config option to workaround JVM bugs related to touching exceptions - {pull}3528[#3528]
+
 [float]
 ===== Bug fixes
 * Cleanup extra servlet request attribute used for Spring exception handler - {pull}3527[#3527]
@@ -44,9 +48,6 @@ Use subheadings with the "=====" level for adding notes for unreleased changes:
 [float]
 ===== Features
 * Added a configuration option to use queues in names of spring-rabbit transactions - {pull}3424[#3424]
-
-[float]
-===== Features
 * Add option to retry JMX metrics capture in case of exception - {pull}3511[#3511]
 
 [float]

apm-agent-core/src/main/java/co/elastic/apm/agent/configuration/CoreConfiguration.java

@@ -517,6 +517,14 @@ public String toString(Collection<String> value) {
         .tags("added[1.44.0]")
         .buildWithDefault(false);
 
+
+    private final ConfigurationOption<Integer> safeExceptions = ConfigurationOption.<Boolean>integerOption()
+        .key("safe_exceptions")
+        .tags("internal")
+        .configurationCategory(CORE_CATEGORY)
+        .dynamic(true)
+        .buildWithDefault(0);
+
     private final ConfigurationOption<List<WildcardMatcher>> classesExcludedFromInstrumentation = ConfigurationOption
         .builder(new ValueConverter<List<WildcardMatcher>>() {
 
@@ -1163,6 +1171,15 @@ public boolean isContextPropagationOnly() {
         return contextPropagationOnly.get();
     }
 
+    public boolean isRedactExceptions() {
+        return (safeExceptions.get() & 1) != 0;
+    }
+
+    @Override
+    public boolean isUseServletAttributesForExceptionPropagation() {
+        return (safeExceptions.get() & 2) == 0;
+    }
+
     public enum CloudProvider {
         AUTO,
         AWS,

apm-agent-core/src/main/java/co/elastic/apm/agent/impl/ElasticApmTracer.java

@@ -26,6 +26,7 @@
 import co.elastic.apm.agent.configuration.CoreConfiguration;
 import co.elastic.apm.agent.configuration.MetricsConfiguration;
 import co.elastic.apm.agent.configuration.ServerlessConfiguration;
+import co.elastic.apm.agent.impl.error.RedactedException;
 import co.elastic.apm.agent.impl.metadata.ServiceFactory;
 import co.elastic.apm.agent.tracer.service.Service;
 import co.elastic.apm.agent.tracer.service.ServiceInfo;
@@ -446,6 +447,8 @@ private ErrorCapture captureException(long epochMicros, @Nullable Throwable e, E
             return null;
         }
 
+        e = redactExceptionIfRequired(e);
+
         while (e != null && WildcardMatcher.anyMatch(coreConfiguration.getUnnestExceptions(), e.getClass().getName()) != null) {
             e = e.getCause();
         }
@@ -995,4 +998,13 @@ public Service createService(String ephemeralId) {
             configurationRegistry.getConfig(ServerlessConfiguration.class).runsOnAwsLambda()
         );
     }
+
+    @Override
+    @Nullable
+    public Throwable redactExceptionIfRequired(@Nullable Throwable original) {
+        if (original != null && coreConfiguration.isRedactExceptions() && !(original instanceof RedactedException)) {
+            return new RedactedException();
+        }
+        return original;
+    }
 }

apm-agent-core/src/main/java/co/elastic/apm/agent/impl/error/RedactedException.java

@@ -0,0 +1,28 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package co.elastic.apm.agent.impl.error;
+
+public class RedactedException extends Exception {
+
+    public RedactedException() {
+        super("This exception is a placeholder for an exception which has occurred in the application." +
+            "The stacktrace corresponds to where elastic APM detected the exception.");
+    }
+
+}

apm-agent-core/src/main/java/co/elastic/apm/agent/impl/transaction/Transaction.java

@@ -104,6 +104,9 @@ public class Transaction extends AbstractSpan<Transaction> implements co.elastic
     @Nullable
     private String frameworkVersion;
 
+    @Nullable
+    private Throwable pendingException;
+
     /**
      * Faas
      * <p>
@@ -337,6 +340,7 @@ public void resetState() {
         frameworkVersion = null;
         faas.resetState();
         wasActivated.set(false);
+        pendingException = null;
         // don't clear timerBySpanTypeAndSubtype map (see field-level javadoc)
     }
 
@@ -535,4 +539,17 @@ private void trackMetrics() {
             phaser.readerUnlock();
         }
     }
+
+
+    @Override
+    public void setPendingTransactionException(@Nullable Throwable exception) {
+        this.pendingException = exception;
+    }
+
+    @Nullable
+    @Override
+    public Throwable getPendingTransactionException() {
+        return this.pendingException;
+    }
+
 }

apm-agent-core/src/test/java/org/example/stacktrace/ErrorCaptureTest.java

@@ -24,6 +24,7 @@
 import co.elastic.apm.agent.impl.ElasticApmTracer;
 import co.elastic.apm.agent.impl.context.Request;
 import co.elastic.apm.agent.impl.error.ErrorCapture;
+import co.elastic.apm.agent.impl.error.RedactedException;
 import co.elastic.apm.agent.impl.stacktrace.StacktraceConfiguration;
 import co.elastic.apm.agent.impl.transaction.Transaction;
 import org.junit.jupiter.api.BeforeEach;
@@ -107,6 +108,27 @@ void testNonConfiguredWrappingConfigured() {
         assertThat(errorCapture.getException()).isInstanceOf(WrapperException.class);
     }
 
+    @Test
+    void testExceptionRedaction() {
+        doReturn(true).when(coreConfiguration).isRedactExceptions();
+        assertThat(tracer.redactExceptionIfRequired(null)).isNull();
+
+        Exception exception = new CustomException();
+        Throwable redacted = tracer.redactExceptionIfRequired(exception);
+        assertThat(redacted).isInstanceOf(RedactedException.class);
+
+        assertThat(tracer.redactExceptionIfRequired(redacted)).isSameAs(redacted);
+
+        ErrorCapture errorCapture = tracer.captureException(exception, tracer.currentContext(), null);
+        assertThat(errorCapture).isNotNull();
+        assertThat(errorCapture.getException()).isInstanceOf(RedactedException.class);
+
+        ErrorCapture alreadyRedacted = tracer.captureException(redacted, tracer.currentContext(), null);
+        assertThat(alreadyRedacted).isNotNull();
+        assertThat(alreadyRedacted.getException()).isSameAs(redacted);
+    }
+
+
     private static class NestedException extends Exception {
         public NestedException(Throwable cause) {
             super(cause);

apm-agent-plugins/apm-servlet-plugin/src/main/java/co/elastic/apm/agent/servlet/ServletApiAdvice.java

@@ -253,6 +253,12 @@ public static <HttpServletRequest, HttpServletResponse, ServletContext, ServletC
                             break;
                         }
                     }
+                    if (t2 == null) {
+                        t2 = transaction.getPendingTransactionException();
+                        if(t2 != null) {
+                            overrideStatusCodeOnThrowable = false;
+                        }
+                    }
                 }
 
                 ServletContext servletContext = adapter.getServletContext(httpServletRequest);

apm-agent-plugins/apm-servlet-plugin/src/main/java/co/elastic/apm/agent/servlet/helper/JakartaApmAsyncListener.java

@@ -79,7 +79,7 @@ public void onComplete(AsyncEvent event) {
 
     @Override
     public void onTimeout(AsyncEvent event) {
-        throwable = event.getThrowable();
+        throwable = asyncContextAdviceHelperImpl.getTracer().redactExceptionIfRequired(event.getThrowable());
         if (isJBossEap6(event)) {
             endTransaction(event);
         }
@@ -98,7 +98,7 @@ public void onTimeout(AsyncEvent event) {
 
     @Override
     public void onError(AsyncEvent event) {
-        throwable = event.getThrowable();
+        throwable = asyncContextAdviceHelperImpl.getTracer().redactExceptionIfRequired(event.getThrowable());
         if (isJBossEap6(event)) {
             endTransaction(event);
         }

apm-agent-plugins/apm-servlet-plugin/src/main/java/co/elastic/apm/agent/servlet/helper/JakartaAsyncContextAdviceHelper.java

@@ -44,6 +44,10 @@ public JakartaAsyncContextAdviceHelper(Tracer tracer) {
             new JakartaAsyncContextAdviceHelper.JakartaApmAsyncListenerAllocator());
     }
 
+    public Tracer getTracer() {
+        return tracer;
+    }
+
     private final class JakartaApmAsyncListenerAllocator implements Allocator<JakartaApmAsyncListener> {
         @Override
         public JakartaApmAsyncListener createInstance() {

apm-agent-plugins/apm-servlet-plugin/src/main/java/co/elastic/apm/agent/servlet/helper/JavaxApmAsyncListener.java

@@ -78,7 +78,7 @@ public void onComplete(AsyncEvent event) {
 
     @Override
     public void onTimeout(AsyncEvent event) {
-        throwable = event.getThrowable();
+        throwable = asyncContextAdviceHelperImpl.getTracer().redactExceptionIfRequired(event.getThrowable());
         if (isJBossEap6(event)) {
             endTransaction(event);
         }
@@ -97,7 +97,7 @@ public void onTimeout(AsyncEvent event) {
 
     @Override
     public void onError(AsyncEvent event) {
-        throwable = event.getThrowable();
+        throwable = asyncContextAdviceHelperImpl.getTracer().redactExceptionIfRequired(event.getThrowable());
         if (isJBossEap6(event)) {
             endTransaction(event);
         }