ajinabraham.njsscan.generic.error_disclosure.node_error_disclosure

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

Error messages with stack traces can expose sensitive information about the application.

Run Locally

Run in CI

Defintion

rules:
  - id: node_error_disclosure
    patterns:
      - pattern-either:
          - pattern-inside: function ($REQ, $RES, ...) {...}
          - pattern-inside: function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
          - pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
      - pattern-either:
          - pattern: |
              $ERR = $ERROR.stack;
              ...
              $RES.end($ERR)
          - pattern: |
              $ERR = $ERROR.stack;
              ...
              $RES.send($ERR)
          - pattern: |
              $RES.end($ERR.stack)
          - pattern: |
              $RES.send($ERR.stack)
    message: Error messages with stack traces can expose sensitive information about
      the application.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a3
      cwe: cwe-209
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other