ruby.rails.security.audit.detailed-exceptions.detailed-exceptions

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: detailed-exceptions
    metadata:
      owasp:
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_detailed_exceptions.rb
      category: security
      technology:
        - rails
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    message: Found that the setting for providing detailed exception reports in
      Rails is set to true. This can lead to information exposure, where
      sensitive system or internal information is displayed to the end user.
      Instead, turn this setting off.
    languages:
      - ruby
    severity: WARNING
    patterns:
      - pattern-either:
          - patterns:
              - pattern: |
                  config.consider_all_requests_local = true
          - patterns:
              - pattern-inside: |
                  class $CONTROLLER < ApplicationController
                    ...
                  end
              - pattern: |
                  def show_detailed_exceptions? (...)
                    ...
                  return $RETURN
                  end
              - metavariable-pattern:
                  metavariable: $RETURN
                  patterns:
                    - pattern-not: |
                        false

Examples

detailed-exceptions.rb

Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.

  # Show full error reports and disable caching.
  # ruleid: detailed-exceptions 
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false

  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false
end

Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.

  # Show full error reports and disable caching.
  # ok: detailed-exceptions 
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = false

  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false
end

class ConfigController < ApplicationController
  # ruleid: detailed-exceptions 
  def show_detailed_exceptions?
    return true
  end
end

class ConfigController < ApplicationController
  # ok: detailed-exceptions
  def show_detailed_exceptions?
    return false
  end
end