Now alerts about exposing exception.getMessage() in servlet responses are split out of java/stack-trace-exposure into its own alert java/error-message-exposure because this is a better fit.

2026-03-01 21:34:50 +01:00 · 2024-07-25 18:02:54 +02:00
parent 90b25a6696
commit 1c1ba7734f
12 changed files with 128 additions and 37 deletions
--- a/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.java
+++ b/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.java
@@ -0,0 +1,22 @@
+protected void doGet(HttpServletRequest request, HttpServletResponse response) {
+	try {
+		doSomeWork();
+	} catch (NullPointerException ex) {
+		// BAD: printing a exception message back to the response
+		response.sendError(
+			HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+			ex.getMessage());
+		return;
+	}
+
+	try {
+		doSomeWork();
+	} catch (NullPointerException ex) {
+		// GOOD: log the stack trace, and send back a non-revealing response
+		log("Exception occurred", ex.getMessage);
+		response.sendError(
+			HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+			"Exception occurred");
+		return;
+	}
+}
--- a/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.qhelp
+++ b/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.qhelp
@@ -0,0 +1,41 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The error message at the top of a stack trace can include
+information such as server-side file names and SQL code that the
+application relies on, allowing an attacker to fine-tune a subsequent
+injection attack.</p>
+</overview>
+
+<recommendation>
+<p>Send the user a more generic error message that reveals less information.
+Either suppress the error message entirely, or log it only on the server.</p>
+</recommendation>
+
+<example>
+<p>In the following example, an exception is handled in two different
+ways. In the first version, labeled BAD, the exception is sent back to
+the remote user using the <code>getMessage()</code> method. As such,
+the user is able to see a detailed error message, which may contain
+sensitive information. In the second version, the error message is
+logged only on the server. That way, the developers can still access
+and use the error log, but remote users will not see the
+information.</p>
+
+<sample src="SensitiveDataExposureThroughErrorMessage.java" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/Improper_Error_Handling">Improper Error Handling</a>.</li>
+
+<li>CERT Java Coding Standard:
+<a href="https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information">ERR01-J.
+Do not allow exceptions to expose sensitive information</a>.</li>
+
+<li>
+  CWE-209: <a href="https://cwe.mitre.org/data/definitions/209.html">Information Exposure Through an Error Message</a>.
+</li>
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
+++ b/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Information exposure through a error message
+ * @description Information from a error message propagates to an external user.
+ *              Error messages can unintentionally reveal implementation details
+ *              that are useful to an attacker for developing a subsequent exploit.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 5.4
+ * @precision high
+ * @id java/error-message-exposure
+ * @tags security
+ *       external/cwe/cwe-209
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.SensitiveDataExposureThroughErrorMessageQuery
+
+from Expr externalExpr, Expr errorInformation
+where
+  getMessageFlowsExternally(DataFlow::exprNode(externalExpr), DataFlow::exprNode(errorInformation))
+select externalExpr, "$@ can be exposed to an external user.", errorInformation, "Error information"
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.qhelp
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.qhelp
@@ -12,11 +12,7 @@ final state of the software when the error occurred.</p>

 <p>Unfortunately, the same information can be useful to an attacker.
 The sequence of class names in a stack trace can reveal the structure
-of the application as well as any internal components it relies on.
-Furthermore, the error message at the top of a stack trace can include
-information such as server-side file names and SQL code that the
-application relies on, allowing an attacker to fine-tune a subsequent
-injection attack.</p>
+of the application as well as any internal components it relies on.</p>
 </overview>

 <recommendation>
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -20,6 +20,5 @@ import semmle.code.java.security.StackTraceExposureQuery
 from Expr externalExpr, Expr errorInformation
 where
  printsStackExternally(externalExpr, errorInformation) or
-  stringifiedStackFlowsExternally(DataFlow::exprNode(externalExpr), errorInformation) or
-  getMessageFlowsExternally(DataFlow::exprNode(externalExpr), DataFlow::exprNode(errorInformation))
+  stringifiedStackFlowsExternally(DataFlow::exprNode(externalExpr), errorInformation)
 select externalExpr, "$@ can be exposed to an external user.", errorInformation, "Error information"