# Generation of Error Message Containing Sensitive Information (CWE-209)

The product generates an error message that includes sensitive information about its environment, users, or associated data.

**Stack:** JavaScript

- Prevalence: Mittel 3 Sprachen abgedeckt
- Impact: Mittel Review empfohlen
- Prevention: Dokumentiert 5 Fix-Beispiele

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

The sensitive information may be valuable information on its own, or it may be useful for launching other, more serious attacks. The error message may be created in different ways, and the information that is included can range widely.

## Prevention

Präventionsstrategien für Error Message Information Leak basierend auf 2 Shoulder-Erkennungsregeln.

### JavaScript

Return generic error messages to users and log detailed errors server-side

Configure errorFormatter to strip stack traces in production and use TRPCError with generic messages

## Warning Signs

- [MEDIUM] exposure of sensitive error information (error
- [MEDIUM] Error handling exposes implementation details. Use error formatter to sanitize errors in production.

## Consequences

- Anwendungsdaten lesen
- Dateien oder Verzeichnisse lesen

## Mitigations

- Ausnahmen intern behandeln und keine Fehler an den Benutzer anzeigen
- Standard-Fehlerseiten für HTTP-Fehler wie 404 und 500 erstellen
- Korrekte Fehlerbehandlung: detaillierte Fehler serverseitig protokollieren, dem Benutzer aber generische Meldungen anzeigen

## Detection

- Total rules: 5
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (2 rules)

- **Information Exposure Through Error Messages** [MEDIUM]: Detects exposure of sensitive error information (error.message, error.stack,
raw error objects) in HTTP responses. This can leak:

- Internal file paths and directory structure
- Database schema and query details
- Third-party API endpoints and credentials
- Software versions and technology stack
- Business logic and validation rules

Attackers use this information to:
- Map internal architecture
- Identify vulnerable dependencies
- Craft targeted attacks
- Bypass security controls
  - Remediation: Return generic error messages to users and log detailed errors server-side.

```javascript
} catch (error) {
  logger.error('Failed', { error: error.message });
  res.status(500).json({ error: 'An error occurred' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-209/error-message-exposure
- **tRPC Error Information Disclosure** [MEDIUM]: Exposing raw errors, stack traces, or database details to clients aids attackers
in reconnaissance and exploitation.
  - Remediation: Use errorFormatter to sanitize errors in production.

```typescript
export const t = initTRPC.context<Context>().create({
  errorFormatter({ shape }) {
    return {
      ...shape,
      data: {
        ...shape.data,
        stack: process.env.NODE_ENV === 'production' ? undefined : shape.data.stack
      }
    };
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-209/error-information-leak

### Typescript (2 rules)

- **Information Exposure Through Error Messages** [MEDIUM]: Detects exposure of sensitive error information (error.message, error.stack,
raw error objects) in HTTP responses. This can leak:

- Internal file paths and directory structure
- Database schema and query details
- Third-party API endpoints and credentials
- Software versions and technology stack
- Business logic and validation rules

Attackers use this information to:
- Map internal architecture
- Identify vulnerable dependencies
- Craft targeted attacks
- Bypass security controls
  - Remediation: Return generic error messages to users and log detailed errors server-side.

```javascript
} catch (error) {
  logger.error('Failed', { error: error.message });
  res.status(500).json({ error: 'An error occurred' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-209/error-message-exposure
- **tRPC Error Information Disclosure** [MEDIUM]: Exposing raw errors, stack traces, or database details to clients aids attackers
in reconnaissance and exploitation.
  - Remediation: Use errorFormatter to sanitize errors in production.

```typescript
export const t = initTRPC.context<Context>().create({
  errorFormatter({ shape }) {
    return {
      ...shape,
      data: {
        ...shape.data,
        stack: process.env.NODE_ENV === 'production' ? undefined : shape.data.stack
      }
    };
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-209/error-information-leak