ruby.rails.security.audit.detailed-exceptions.detailed-exceptions
semgrep
Author
unknown
Download Count*
License
Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.
Run Locally
Run in CI
Defintion
rules:
- id: detailed-exceptions
metadata:
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_detailed_exceptions.rb
category: security
technology:
- rails
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
message: Found that the setting for providing detailed exception reports in
Rails is set to true. This can lead to information exposure, where
sensitive system or internal information is displayed to the end user.
Instead, turn this setting off.
languages:
- ruby
severity: WARNING
patterns:
- pattern-either:
- patterns:
- pattern: |
config.consider_all_requests_local = true
- patterns:
- pattern-inside: |
class $CONTROLLER < ApplicationController
...
end
- pattern: |
def show_detailed_exceptions? (...)
...
return $RETURN
end
- metavariable-pattern:
metavariable: $RETURN
patterns:
- pattern-not: |
false
Examples
detailed-exceptions.rb
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# Show full error reports and disable caching.
# ruleid: detailed-exceptions
config.consider_all_requests_local = true
config.action_controller.perform_caching = false
# Don't care if the mailer can't send.
config.action_mailer.raise_delivery_errors = false
end
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# Show full error reports and disable caching.
# ok: detailed-exceptions
config.consider_all_requests_local = false
config.action_controller.perform_caching = false
# Don't care if the mailer can't send.
config.action_mailer.raise_delivery_errors = false
end
class ConfigController < ApplicationController
# ruleid: detailed-exceptions
def show_detailed_exceptions?
return true
end
end
class ConfigController < ApplicationController
# ok: detailed-exceptions
def show_detailed_exceptions?
return false
end
end
Short Link: https://sg.run/Je0d