# Generation of Error Message Containing Sensitive Information (CWE-209)

The product generates an error message that includes sensitive information about its environment, users, or associated data.

**Stack:** Python

- Prevalence: मध्यम 3 भाषाएँ कवर की गईं
- Impact: मध्यम समीक्षा अनुशंसित
- Prevention: प्रलेखित 5 फिक्स उदाहरण

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

The sensitive information may be valuable information on its own, or it may be useful for launching other, more serious attacks. The error message may be created in different ways, and the information that is included can range widely.

## Prevention

2 Shoulder डिटेक्शन नियमों पर आधारित Error Message Information Leak के लिए रोकथाम रणनीतियाँ।

### Python

Log full exception details internally but return generic error messages to users

Return generic responses; log internal paths server-side only

## Warning Signs

- [MEDIUM] error messages that expose sensitive implementation details like
stack traces, database errors, file
- [MEDIUM] responses that include internal file paths, IP addresses, or system
information

## Consequences

- एप्लिकेशन डेटा पढ़ना
- फ़ाइलें या डायरेक्टरीज़ पढ़ना

## Mitigations

- अपवादों को आंतरिक रूप से संभालें और उपयोगकर्ता को त्रुटियाँ न दिखाएँ
- 404 और 500 जैसी HTTP त्रुटियों के लिए डिफ़ॉल्ट त्रुटि पेज बनाएँ
- ऐसा उचित त्रुटि प्रबंधन लागू करें जो सर्वर-साइड पर विस्तृत त्रुटियाँ लॉग करे लेकिन उपयोगकर्ताओं को सामान्य संदेश दिखाए

## Detection

- Total rules: 5
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (2 rules)

- **Error Message Information Disclosure** [MEDIUM]: Detects error messages that expose sensitive implementation details like
stack traces, database errors, file paths, or internal system information.
This information can help attackers understand the system architecture.
  - Remediation: Log full exception details internally but return generic error messages to users.

```python
import logging
from flask import jsonify

logger = logging.getLogger(__name__)

@app.route('/api/data')
def get_data():
    try:
        return jsonify(process_data())
    except Exception as e:
        logger.error(f"Processing failed: {e}", exc_info=True)
        return jsonify({'error': 'Internal server error'}), 500
```

Learn more: https://shoulder.dev/learn/python/cwe-209/error-message-exposure
- **Internal Path and IP Address Disclosure** [MEDIUM]: Detects responses that include internal file paths, IP addresses, or system
information. This information helps attackers understand the system architecture,
file structure, and internal network topology.
  - Remediation: Return generic error messages; log internal details without exposing them in responses.

```python
import logging
from flask import jsonify

logger = logging.getLogger(__name__)

@app.route('/info')
def get_info():
    logger.info(f"Request to {__file__}")  # Log internally
    return jsonify({'status': 'ok', 'version': '1.0'})  # Generic response
```

Learn more: https://shoulder.dev/learn/python/cwe-209/internal-path-disclosure