hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 15:05:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Minor changes to formulations for java/error-message-exposure

Browse Source 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
This commit is contained in:
RobbingDaHood
2024-07-29 16:48:15 +02:00
committed by GitHub
parent feb31d2006
commit 1cb58922a2
4 changed files with 4 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.java
View File

@@ -12,7 +12,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) {
try {
doSomeWork();
} catch (NullPointerException ex) {
// GOOD: log the stack trace, and send back a non-revealing response
// GOOD: log the exception message, and send back a non-revealing response
log("Exception occurred", ex.getMessage);
response.sendError(
HttpServletResponse.SC_INTERNAL_SERVER_ERROR,

3
java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.qhelp
View File

@@ -34,8 +34,5 @@ information.</p>
<a href="https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information">ERR01-J.
Do not allow exceptions to expose sensitive information</a>.</li>
<li>
CWE-209: <a href="https://cwe.mitre.org/data/definitions/209.html">Information Exposure Through an Error Message</a>.
</li>
</references>
</qhelp>

4
java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Information exposure through a error message
* @description Information from a error message propagates to an external user.
* @name Information exposure through an error message
* @description Information from an error message propagates to an external user.
* Error messages can unintentionally reveal implementation details
* that are useful to an attacker for developing a subsequent exploit.
* @kind problem

2
java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md
View File

@@ -1,4 +1,4 @@
---
category: minorAnalysis
---
* Now alerts about exposing `exception.getMessage()` in servlet responses are split out of `java/stack-trace-exposure` into its own alert `java/error-message-exposure` because this is a better fit.
* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`.