contrib.nodejsscan.error_disclosure.node_error_disclosure
returntocorpAuthor
99
Download Count*
License
Error messages with stack traces can expose sensitive information about the application.
Run Locally
Run in CI
Defintion
rules:
- id: node_error_disclosure
patterns:
- pattern-either:
- pattern-inside: function ($REQ, $RES, ...) {...}
- pattern-inside: function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: $X = function $FUNC($REQ, $RES, ...) {...}
- pattern-inside: var $X = function $FUNC($REQ, $RES, ...) {...};
- pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern-either:
- pattern: |
$ERR = $ERROR.stack;
...
$RES.end($ERR);
- pattern: |
$ERR = $ERROR.stack;
...
$RES.send($ERR);
- pattern: |
$RES.end($ERR.stack)
- pattern: |
$RES.send($ERR.stack)
message: Error messages with stack traces can expose sensitive information about
the application.
languages:
- javascript
severity: ERROR
metadata:
owasp: A03:2017 - Sensitive Data Exposure
cwe: "CWE-209: Generation of Error Message Containing Sensitive Information"
category: security
technology:
- node.js
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/LwEG