# Generation of Error Message Containing Sensitive Information (CWE-209)

The product generates an error message that includes sensitive information about its environment, users, or associated data.

- Prevalence: 中 3 言語をカバー
- Impact: ミディアム レビュー推奨
- Prevention: 文書化済み 5 件の修正例

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

The sensitive information may be valuable information on its own, or it may be useful for launching other, more serious attacks. The error message may be created in different ways, and the information that is included can range widely.

## Prevention

5 件の Shoulder 検出ルールに基づく Error Message Information Leak の予防策。

### Go

Return generic error messages to clients; log detailed errors server-side

### JavaScript

Return generic error messages to users and log detailed errors server-side

Configure errorFormatter to strip stack traces in production and use TRPCError with generic messages

### Python

Log full exception details internally but return generic error messages to users

Return generic responses; log internal paths server-side only

## Warning Signs

- [MEDIUM] exposure of sensitive error information (error
- [MEDIUM] error messages that expose sensitive implementation details like
stack traces, database errors, file
- [MEDIUM] responses that include internal file paths, IP addresses, or system
information
- [MEDIUM] Error handling exposes implementation details. Use error formatter to sanitize errors in production.

## Consequences

- アプリケーションデータの読み取り
- ファイルまたはディレクトリの読み取り

## Mitigations

- 例外は内部で処理し、ユーザーにエラーを表示しない
- 404 や 500 などの HTTP エラー用にデフォルトのエラーページを作成する
- サーバー側で詳細なエラーをログに記録し、ユーザーには汎用的なメッセージを表示する適切なエラー処理を実装する

## Detection

- Total rules: 5
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (2 rules)

- **Information Exposure Through Error Messages** [MEDIUM]: Detects exposure of sensitive error information (error.message, error.stack,
raw error objects) in HTTP responses. This can leak:

- Internal file paths and directory structure
- Database schema and query details
- Third-party API endpoints and credentials
- Software versions and technology stack
- Business logic and validation rules

Attackers use this information to:
- Map internal architecture
- Identify vulnerable dependencies
- Craft targeted attacks
- Bypass security controls
  - Remediation: Return generic error messages to users and log detailed errors server-side.

```javascript
} catch (error) {
  logger.error('Failed', { error: error.message });
  res.status(500).json({ error: 'An error occurred' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-209/error-message-exposure
- **tRPC Error Information Disclosure** [MEDIUM]: Exposing raw errors, stack traces, or database details to clients aids attackers
in reconnaissance and exploitation.
  - Remediation: Use errorFormatter to sanitize errors in production.

```typescript
export const t = initTRPC.context<Context>().create({
  errorFormatter({ shape }) {
    return {
      ...shape,
      data: {
        ...shape.data,
        stack: process.env.NODE_ENV === 'production' ? undefined : shape.data.stack
      }
    };
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-209/error-information-leak

### Typescript (2 rules)

- **Information Exposure Through Error Messages** [MEDIUM]: Detects exposure of sensitive error information (error.message, error.stack,
raw error objects) in HTTP responses. This can leak:

- Internal file paths and directory structure
- Database schema and query details
- Third-party API endpoints and credentials
- Software versions and technology stack
- Business logic and validation rules

Attackers use this information to:
- Map internal architecture
- Identify vulnerable dependencies
- Craft targeted attacks
- Bypass security controls
  - Remediation: Return generic error messages to users and log detailed errors server-side.

```javascript
} catch (error) {
  logger.error('Failed', { error: error.message });
  res.status(500).json({ error: 'An error occurred' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-209/error-message-exposure
- **tRPC Error Information Disclosure** [MEDIUM]: Exposing raw errors, stack traces, or database details to clients aids attackers
in reconnaissance and exploitation.
  - Remediation: Use errorFormatter to sanitize errors in production.

```typescript
export const t = initTRPC.context<Context>().create({
  errorFormatter({ shape }) {
    return {
      ...shape,
      data: {
        ...shape.data,
        stack: process.env.NODE_ENV === 'production' ? undefined : shape.data.stack
      }
    };
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-209/error-information-leak

### Python (2 rules)

- **Error Message Information Disclosure** [MEDIUM]: Detects error messages that expose sensitive implementation details like
stack traces, database errors, file paths, or internal system information.
This information can help attackers understand the system architecture.
  - Remediation: Log full exception details internally but return generic error messages to users.

```python
import logging
from flask import jsonify

logger = logging.getLogger(__name__)

@app.route('/api/data')
def get_data():
    try:
        return jsonify(process_data())
    except Exception as e:
        logger.error(f"Processing failed: {e}", exc_info=True)
        return jsonify({'error': 'Internal server error'}), 500
```

Learn more: https://shoulder.dev/learn/python/cwe-209/error-message-exposure
- **Internal Path and IP Address Disclosure** [MEDIUM]: Detects responses that include internal file paths, IP addresses, or system
information. This information helps attackers understand the system architecture,
file structure, and internal network topology.
  - Remediation: Return generic error messages; log internal details without exposing them in responses.

```python
import logging
from flask import jsonify

logger = logging.getLogger(__name__)

@app.route('/info')
def get_info():
    logger.info(f"Request to {__file__}")  # Log internally
    return jsonify({'status': 'ok', 'version': '1.0'})  # Generic response
```

Learn more: https://shoulder.dev/learn/python/cwe-209/internal-path-disclosure

### Go (1 rules)

- **Database Error Information Exposure in HTTP Response** [MEDIUM]: Internal error messages or stack traces exposed to users in HTTP responses.
  - Remediation: Return generic error messages to users, log details server-side.

```go
if err != nil {
    log.Printf("internal error: %v", err) // Log details
    http.Error(w, "An error occurred", 500) // Generic response
    return
}
```

Learn more: https://shoulder.dev/learn/go/cwe-209/error-message-exposure